diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/.helmignore b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/.helmignore new file mode 100644 index 000000000..be86b789d --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# Helm files +OWNERS diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/Chart.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/Chart.yaml new file mode 100644 index 000000000..fe6ef0b4c --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/Chart.yaml @@ -0,0 +1,18 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: TrilioVault for Kubernetes Operator + catalog.cattle.io/release-name: k8s-triliovault-operator +apiVersion: v1 +appVersion: 2.6.7 +description: K8s-TrilioVault-Operator is an operator designed to manage the K8s-TrilioVault + Application Lifecycle. +home: https://github.com/trilioData/k8s-triliovault-operator +icon: https://www.trilio.io/wp-content/uploads/2021/01/Trilio-2020-logo-RGB-gray-green.png +kubeVersion: '>=1.18.0-0' +maintainers: +- email: prafull.ladha@trilio.io + name: prafull11 +name: k8s-triliovault-operator +sources: +- https://github.com/trilioData/k8s-triliovault-operator +version: 2.6.700 diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/LICENSE b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/LICENSE new file mode 100644 index 000000000..76b559d3b --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/LICENSE @@ -0,0 +1 @@ +# Placeholder for the License if we decide to provide one diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/README.md b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/README.md new file mode 100644 index 000000000..469bfff1a --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/README.md @@ -0,0 +1,124 @@ +# K8s-TrilioVault-Operator +This operator is to manage the lifecycle of TrilioVault Backup/Recovery solution. This operator install, updates and manage the TrilioVault application. + +## Introduction + +## Prerequisites + +- Kubernetes 1.18+ +- Alpha feature gates should be enabled +- PV provisioner support +- CSI driver should be installed + +## Installation + +To install the operator on local setup just run the latest helm charts inside this repo + +```shell script +helm repo add trilio-vault-operator https://charts.k8strilio.net/trilio-stable/k8s-triliovault-operator +helm install tvm trilio-vault-operator/k8s-triliovault-operator +``` + +Now, create a TrilioVaultManager CR to install the TrilioVault for Kubernetes. You can provide the custom configurations for the TVK resources as follows: + +``` +apiVersion: triliovault.trilio.io/v1 +kind: TrilioVaultManager +metadata: + labels: + triliovault: k8s + name: tvk +spec: + trilioVaultAppVersion: latest + applicationScope: Cluster + # User can configure the ingress hosts, annotations and TLS secret through the ingressConfig section + ingressConfig: + host: "trilio.co.in" + tlsSecretName: "secret-name" + # TVK components configuration, currently supports control-plane, web, exporter, web-backend, ingress-controller, admission-webhook. + # User can configure resources for all componentes and can configure service type and host for the ingress-controller + componentConfiguration: + web-backend: + resources: + requests: + memory: "400Mi" + cpu: "200m" + limits: + memory: "2584Mi" + cpu: "1000m" + ingress-controller: + enabled: true + service: + type: LoadBalancer +``` + +### Apply the Custom Resource + +Apply `TVM.yaml`: + +```shell +kubectl create -f TVM.yaml +``` + +Check that the pods were created: + +``` +kubectl get pods +``` + +``` +NAME READY STATUS RESTARTS AGE +k8s-triliovault-admission-webhook-6ff5f98c8-qwmfc 1/1 Running 0 81s +k8s-triliovault-backend-6f66b6b8d5-gxtmz 1/1 Running 0 81s +k8s-triliovault-control-plane-6c464c5d78-ftk6g 1/1 Running 0 81s +k8s-triliovault-exporter-59566f97dd-gs4xc 1/1 Running 0 81s +k8s-triliovault-ingress-controller-84cf46848-tkcdz 1/1 Running 0 18s +k8s-triliovault-web-967c8475-m7pc6 1/1 Running 0 81s +tvm-k8s-triliovault-operator-66bd7d86d5-dvhzb 1/1 Running 0 6m48s +``` + +Check that ingress controller service is of type LoadBalancer: +``` +k8s-triliovault-admission-webhook ClusterIP 10.255.241.108 443/TCP 2m7s +k8s-triliovault-ingress-gateway LoadBalancer 10.255.254.153 34.75.176.146 80:30737/TCP,443:30769/TCP 2m7s +k8s-triliovault-web ClusterIP 10.255.245.52 80/TCP 2m7s +k8s-triliovault-web-backend ClusterIP 10.255.250.166 80/TCP 2m7s +kubernetes ClusterIP 10.255.240.1 443/TCP 6m9s +tvm-k8s-triliovault-operator-webhook-service ClusterIP 10.255.249.77 443/TCP 3m22s +``` + +Check that ingress resources has the host defined by the user: +``` +NAME CLASS HOSTS ADDRESS PORTS AGE +k8s-triliovault-ingress-master nginx trilio.co.in 80 98s +k8s-triliovault-ingress-minion nginx trilio.co.in 80 98s + +``` + +## Delete + +```shell +kubectl delete -f TVM.yaml +``` + +## Uninstall + +To uninstall/delete the operator helm chart : + +```bash +helm uninstall tvm +``` + +## TrilioVaultManager compatibility + +The following table captures the compatibility matrix of the TrilioVault Manager against TVK: + +| TVM Version | TVK 2.5.2 | TVK 2.5.1 | TVK 2.5.0 | TVK 2.1.0 | TVK 2.0.5 | TVK 2.0.4 | TVK 2.0.3 | TVK 2.0.2 | TVK 2.0.1 | +|-------------|-----------|-----------|-----------|-----------|-----------|-----------|-----------|-----------|-----------| +| 2.5.2 | yes | yes | yes | yes | yes | yes | yes | yes | yes | +| 2.5.0 | no | yes | yes | yes | yes | yes | yes | yes | yes | +| v2.1.0 | no | no | no | yes | yes | yes | yes | yes | yes | +| v2.0.5 | no | no | no | yes | yes | yes | yes | yes | yes | +| v2.0.2 | no | no | no | yes | yes | yes | yes | yes | yes | +| v2.0.1 | no | no | no | yes | yes | yes | yes | yes | yes | +| v2.0.0 | no | no | no | yes | yes | yes | yes | yes | yes | diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/crds/triliovault.trilio.io_triliovaultmanagers.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/crds/triliovault.trilio.io_triliovaultmanagers.yaml new file mode 100644 index 000000000..22e62d8ef --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/crds/triliovault.trilio.io_triliovaultmanagers.yaml @@ -0,0 +1,1183 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + name: triliovaultmanagers.triliovault.trilio.io +spec: + group: triliovault.trilio.io + names: + kind: TrilioVaultManager + listKind: TrilioVaultManagerList + plural: triliovaultmanagers + shortNames: + - tvm + singular: triliovaultmanager + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.trilioVaultAppVersion + name: TrilioVault-Version + type: string + - jsonPath: .spec.applicationScope + name: Scope + type: string + - jsonPath: .status.conditions.type + name: Status + type: string + - jsonPath: .spec.restoreNamespaces + name: Restore-Namespaces + type: string + name: v1 + schema: + openAPIV3Schema: + description: TrilioVaultManager is the Schema for the triliovaultmanagers + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TrilioVaultManagerSpec defines the desired state of TrilioVaultManager + properties: + affinity: + description: The scheduling constraints on application pods. + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the + pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the affinity expressions specified by + this field, but it may choose a node that violates one or + more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node matches + the corresponding matchExpressions; the node(s) with the + highest sum are the most preferred. + items: + description: An empty preferred scheduling term matches + all objects with implicit weight 0 (i.e. it's a no-op). + A null preferred scheduling term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: A node selector term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with matching the corresponding + nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to an update), the system may or may not try to + eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: A null or empty node selector term matches + no objects. The requirements of them are ANDed. The + TopologySelectorTerm type implements a subset of the + NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate + this pod in the same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the affinity expressions specified by + this field, but it may choose a node that violates one or + more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node has + pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. This field is beta-level + and is only honored when PodAffinityNamespaceSelector + feature is enabled. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to a pod label update), the system may or may + not try to eventually evict the pod from its node. When + there are multiple elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, i.e. all terms + must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of + pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied to the + union of the namespaces selected by this field and + the ones listed in the namespaces field. null selector + and null or empty namespaces list means "this pod's + namespace". An empty selector ({}) matches all namespaces. + This field is beta-level and is only honored when + PodAffinityNamespaceSelector feature is enabled. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list of namespace + names that the term applies to. The term is applied + to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. null or + empty namespaces list and null namespaceSelector means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of + any node on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. + avoid putting this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the anti-affinity expressions specified + by this field, but it may choose a node that violates one + or more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node has + pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. This field is beta-level + and is only honored when PodAffinityNamespaceSelector + feature is enabled. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the anti-affinity requirements + specified by this field cease to be met at some point during + pod execution (e.g. due to a pod label update), the system + may or may not try to eventually evict the pod from its + node. When there are multiple elements, the lists of nodes + corresponding to each podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of + pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied to the + union of the namespaces selected by this field and + the ones listed in the namespaces field. null selector + and null or empty namespaces list means "this pod's + namespace". An empty selector ({}) matches all namespaces. + This field is beta-level and is only honored when + PodAffinityNamespaceSelector feature is enabled. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list of namespace + names that the term applies to. The term is applied + to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. null or + empty namespaces list and null namespaceSelector means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of + any node on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + applicationScope: + description: Scope for the application which will be installed in + the cluster NamespaceScope or ClusterScope + enum: + - Cluster + - Namespaced + type: string + componentConfiguration: + description: ComponentConfiguration holds all the field related to + components. + properties: + admission-webhook: + description: AdmissionWebhook holds all configuration keys related + to admission-webhook + type: object + x-kubernetes-preserve-unknown-fields: true + control-plane: + description: ControlPlane holds all configuration keys related + to control-plane + type: object + x-kubernetes-preserve-unknown-fields: true + exporter: + description: Exporter holds all configuration keys related to + exporter + type: object + x-kubernetes-preserve-unknown-fields: true + ingress-controller: + description: IngressController holds all configuration keys related + to ingress-controller + type: object + x-kubernetes-preserve-unknown-fields: true + web: + description: Web holds all configuration keys related to web + type: object + x-kubernetes-preserve-unknown-fields: true + web-backend: + description: WebBackend holds all configuration keys related to + web-backend + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + dataJobLimits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Deprecated: DataJobLimits are the resource limits for + all the data processing jobs.' + type: object + dataJobResources: + description: DataJobResources is the resource limits & requests for + all the data processing jobs. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources + allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + deploymentLimits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: DeploymentLimits are the resource limits for all the + deployments. + type: object + helmValues: + description: HelmValues holds all the additional fields in the values.yaml + of TVK helm chart. + type: object + x-kubernetes-preserve-unknown-fields: true + helmVersion: + description: 'Deprecated: Helm Version' + properties: + tillerNamespace: + type: string + version: + enum: + - v3 + type: string + required: + - version + type: object + ingressConfig: + description: IngressConfig holds field related to ingress + properties: + annotations: + additionalProperties: + type: string + type: object + host: + type: string + ingressClass: + type: string + tlsSecretName: + type: string + type: object + metadataJobLimits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Deprecated: MetadataJobLimits are the resource limits + for all the meta processing jobs.' + type: object + metadataJobResources: + description: MetadataJobResources is the resource limits & requests + for all the meta processing jobs. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources + allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: NodeSelector specifies a map of key-value pairs. For + the pod to be eligible to run on a node, the node must have each + of the indicated key-value pairs as labels. + type: object + resources: + description: 'Deprecated: Resources are the resource requirements + for the containers.' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources + allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + restoreNamespaces: + description: 'Deprecated: RestoreNamespaces are the namespace where + you want to restore your applications. Restore Namespaces depends + on your k8s RBAC' + items: + type: string + type: array + tolerations: + description: The toleration of application against the specific taints + on the nodes + items: + description: The pod this Toleration is attached to tolerates any + taint that matches the triple using the matching + operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match all + values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the + value. Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod + can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time + the toleration (which must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever (do not + evict). Zero and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + trilioVaultAppVersion: + description: Helm Chart version + type: string + required: + - applicationScope + type: object + status: + description: TrilioVaultManagerStatus defines the observed state of TrilioVaultManager + properties: + conditions: + properties: + lastTransitionTime: + format: date-time + nullable: true + type: string + message: + minLength: 0 + type: string + reason: + enum: + - InstallSuccessful + - UpdateSuccessful + - UninstallSuccessful + - InstallError + - UpdateError + - ReconcileError + - UninstallError + type: string + status: + enum: + - "True" + - "False" + - Unknown + type: string + type: + enum: + - Initialized + - Deployed + - Updated + - ReleaseFailed + - Irreconcilable + type: string + type: object + deployedRelease: + properties: + manifest: + type: string + name: + type: string + type: object + releaseVersion: + type: string + required: + - conditions + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/NOTES.txt b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/NOTES.txt new file mode 100644 index 000000000..c5036ebf2 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/NOTES.txt @@ -0,0 +1,66 @@ +TrilioVault Operator is a helm based operator which install/upgrade/delete the helm Chart of the TrilioVault For Kubernetes. +This operator watches over the entire helm application of TrilioVault for Kubernetes and has self-healing capabilities. + +To verify that TrilioVault Operator has started, run: + + kubectl --namespace={{ .Release.Namespace }} wait --for=condition=ready pod -l "release={{ .Release.Name }}" + +{{ if .Values.installTVK.enabled }} +In one click install, a cluster scope TVM custom resource triliovault-manager is created, you can check its +configuration by running following command: + +kubectl --namespace {{ .Release.Namespace }} get triliovaultmanagers.triliovault.trilio.io triliovault-manager -o yaml + +{{- else }} + +Once the Triliovault operator is in running state, you can create the TrilioVault for Kubernetes(TVK) with the +following custom resource: + + apiVersion: triliovault.trilio.io/v1 + kind: TrilioVaultManager + metadata: + labels: + app: triliovault + name: triliovault-manager + namespace: {{ .Release.Namespace }} + spec: + trilioVaultAppVersion: latest + applicationScope: Cluster + ingressConfig: + host: "tvk.trilio.net" + componentConfiguration: + ingress-controller: + enabled: true + service: + type: LoadBalancer + +Once the above CR has been created, you have to wait for the TVK pods to come up. +{{- end }} + +To check all the TVK pods come into running state, run: + + kubectl --namespace {{ .Release.Namespace }} wait --for=condition=ready pod -l "release=triliovault-manager-{{ .Release.Namespace }}" + +Once all the pods are in running state, you can access the TVK UI from your browser using following steps: + +{{- if .Values.installTVK.enabled }} +{{- if eq .Values.installTVK.ComponentConfiguration.ingressController.service.type "LoadBalancer" }} + 1. Add the /etc/hosts entry: ` {{ .Release.Namespace}}.k8s-tvk.com` + 2. Hit the URL in browser: https://{{ .Release.Namespace}}.k8s-tvk.com +{{- else }} + 1. Add the /etc/hosts entry: ` {{ .Release.Namespace}}.k8s-tvk.com` + 2. Find the NodePort from the service `k8s-triliovault-ingress-gateway` + 3. Hit the URL in browser with NodePort: http://{{ .Release.Namespace}}.k8s-tvk.com:/ +{{- end }} +{{- else }} + 1. Add the /etc/hosts entry: ` tvk.trilio.net` + 2. Hit the URL in browser: https://tvk.trilio.net + +Note: The host `tvk.trilio.net` is used from the `ingressConfig.host` defined in the TVM CR by the user. + +{{- end }} + +For more details on how to access the TVK UI, follow this guide: https://docs.trilio.io/kubernetes/management-console/user-interface/accessing-the-ui + +You can start backup and restore of your application using TVK. For more details on how to do that, please follow our +getting started guide: https://docs.trilio.io/kubernetes/getting-started/getting-started-1 diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/TVMCustomResource.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/TVMCustomResource.yaml new file mode 100644 index 000000000..7b7553581 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/TVMCustomResource.yaml @@ -0,0 +1,41 @@ +{{- if .Values.installTVK.enabled }} +{{- if not (lookup "triliovault.trilio.io/v1" "TrilioVaultManager" "" "").items }} + {{template "k8s-triliovault-operator.tlsSecretValidation" .}} +apiVersion: triliovault.trilio.io/v1 +kind: TrilioVaultManager +metadata: + name: "triliovault-manager" + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-install +spec: + {{- if eq .Chart.Version "0.1.0" }} + trilioVaultAppVersion: latest + {{- else}} + trilioVaultAppVersion: {{ .Chart.AppVersion }} + {{- end }} + applicationScope: {{ .Values.installTVK.applicationScope }} + # User can configure the ingress hosts, annotations and TLS secret through the ingressConfig section + ingressConfig: + {{- if and (gt (len .Values.installTVK.ingressConfig.annotations) 0) (not .Values.installTVK.ComponentConfiguration.ingressController.enabled) }} + annotations: + {{- range $key, $value := .Values.installTVK.ingressConfig.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end -}} + {{- end }} + host: {{ .Values.installTVK.ingressConfig.host | default (printf "%s.k8s-tvk.com" $.Release.Namespace) | quote }} + {{- if not .Values.installTVK.ComponentConfiguration.ingressController.enabled }} + ingressClass: {{ .Values.installTVK.ingressConfig.ingressClass | quote }} + {{- end }} + {{- if .Values.installTVK.ingressConfig.tlsSecretName }} + tlsSecretName: {{ .Values.installTVK.ingressConfig.tlsSecretName | quote }} + {{- end }} + # TVK components configuration, currently supports control-plane, web, exporter, web-backend, ingress-controller, admission-webhook. + # User can configure resources for all componentes and can configure service type and host for the ingress-controller + componentConfiguration: + ingress-controller: + enabled: {{ .Values.installTVK.ComponentConfiguration.ingressController.enabled }} + service: + type: {{ .Values.installTVK.ComponentConfiguration.ingressController.service.type }} +{{- end -}} +{{- end -}} diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/_helpers.tpl b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/_helpers.tpl new file mode 100644 index 000000000..46d123feb --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/_helpers.tpl @@ -0,0 +1,66 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "k8s-triliovault-operator.name" -}} +{{- default .Release.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "k8s-triliovault-operator.appName" -}} +{{- printf "%s" .Chart.Name -}} +{{- end -}} + + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "k8s-triliovault-operator.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper TrilioVault Operator image name +*/}} +{{- define "k8s-triliovault-operator.image" -}} +{{- $registryName := .Values.image.registry -}} +{{- $repositoryName := .Values.image.repository -}} +{{- $tag := .Values.image.tag | toString -}} +{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} + +{{/* +Validation of the secret of CA bundle if provided +*/}} +{{- define "k8s-triliovault-operator.caBundleValidation" -}} +{{- if .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} +{{- if not (lookup "v1" "ConfigMap" .Release.Namespace .Values.proxySettings.CA_BUNDLE_CONFIGMAP) }} + {{ fail "Proxy CA bundle proxy is not present in the release namespace" }} +{{- else }} + {{- $caMap := (lookup "v1" "ConfigMap" .Release.Namespace .Values.proxySettings.CA_BUNDLE_CONFIGMAP).data }} + {{- if not (get $caMap "ca-bundle.crt") }} + {{ fail "Proxy CA certificate file key should be ca-bundle.crt" }} + {{- end }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* +Validation for the ingress tlsSecret, should exists if provided +*/}} + +{{- define "k8s-triliovault-operator.tlsSecretValidation" }} +{{- if .Values.installTVK.ingressConfig.tlsSecretName -}} +{{- if not (lookup "v1" "Secret" .Release.Namespace .Values.installTVK.ingressConfig.tlsSecretName ) -}} + {{ fail "Ingress tls secret is not present in the release namespace" }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/clusterrole.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/clusterrole.yaml new file mode 100644 index 000000000..b3eed777d --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/clusterrole.yaml @@ -0,0 +1,125 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{template "k8s-triliovault-operator.name" .}}-{{.Release.Namespace}}-manager-role + labels: + app.kubernetes.io/part-of: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/name: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/instance: {{template "k8s-triliovault-operator.appName" .}}-manager-role + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - update + - delete + - patch + - apiGroups: + - "" + resources: + - serviceaccounts + - services + - services/finalizers + - secrets + - events + - pods + - endpoints + - configmaps + verbs: + - create + - update + - delete + - patch + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + - mutatingwebhookconfigurations + verbs: + - create + - update + - delete + - patch + - apiGroups: + - apps + resources: + - deployments + verbs: + - create + - update + - delete + - patch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + - roles + - rolebindings + verbs: + - create + - update + - delete + - patch + - bind + - escalate + - apiGroups: + - triliovault.trilio.io + resources: + - '*' + verbs: + - '*' + - apiGroups: + - "" + resources: + - namespaces + verbs: + - update + - apiGroups: + - batch + resources: + - cronjobs + verbs: + - delete + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - update + - patch + - delete + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - create + - patch + - update + - delete + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - delete diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/clusterrole_binding.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/clusterrole_binding.yaml new file mode 100644 index 000000000..49d5655f6 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/clusterrole_binding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "k8s-triliovault-operator.name" . }}-{{ .Release.Namespace }}-manager-rolebinding + labels: + app.kubernetes.io/part-of: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/name: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }}-manager-rolebinding + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "k8s-triliovault-operator.name" . }}-{{ .Release.Namespace }}-manager-role +subjects: +- kind: ServiceAccount + name: {{ template "k8s-triliovault-operator.fullname" . }}-service-account + namespace: {{ .Release.Namespace }} diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/deployment.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/deployment.yaml new file mode 100644 index 000000000..580f5774e --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/deployment.yaml @@ -0,0 +1,202 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "k8s-triliovault-operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "k8s-triliovault-operator.fullname" . }} + release: "{{ .Release.Name }}" + app.kubernetes.io/part-of: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/name: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + selector: + matchLabels: + app: {{ template "k8s-triliovault-operator.fullname" . }} + release: "{{ .Release.Name }}" + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + app: {{ template "k8s-triliovault-operator.fullname" . }} + release: "{{ .Release.Name }}" + app.kubernetes.io/part-of: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/name: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + spec: + hostNetwork: {{ .Values.podSpec.hostNetwork }} + hostIPC: {{ .Values.podSpec.hostIPC }} + hostPID: {{ .Values.podSpec.hostPID }} + {{- if .Values.securityContext }} + securityContext: + {{- toYaml .Values.podSpec.securityContext | nindent 8 }} + {{- end }} + containers: + - name: k8s-triliovault-operator + image: {{ .Values.registry }}/{{ index .Values "k8s-triliovault-operator" "repository" }}:{{ .Values.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.proxySettings.PROXY_ENABLED }} + envFrom: + - secretRef: + name: {{ template "k8s-triliovault-operator.fullname" . }}-proxy + {{- end }} + env: + {{- if .Values.proxySettings.PROXY_ENABLED }} + - name: PROXY_SETTINGS_SECRET + value: {{ template "k8s-triliovault-operator.fullname" . }}-proxy + {{- if .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} + - name: PROXY_CA_CONFIGMAP + value: {{ .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} + {{- end }} + {{- end }} + {{- if .Values.tvkEnv }} + - name: TVK_ENV + value: {{ .Values.tvkEnv }} + {{- end}} + {{- if .Values.tvkHelmRepo }} + - name: TVK_HELM_REPO + value: {{ .Values.tvkHelmRepo }} + {{- end }} + - name: INSTALL_NAMESPACE + value: {{ .Release.Namespace }} + - name: REGISTRY + value: {{ .Values.registry }} + - name: ADMISSION_MUTATION_CONFIG + value: {{ template "k8s-triliovault-operator.name" . }}-mutating-webhook-configuration + - name: ADMISSION_VALIDATION_CONFIG + value: {{ template "k8s-triliovault-operator.name" . }}-validating-webhook-configuration + - name: NAMESPACE_VALIDATION_CONFIG + value: {{ template "k8s-triliovault-operator.name" . }}-ns-validating-webhook-configuration + livenessProbe: + httpGet: + path: /healthz + port: 8081 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 30 + timeoutSeconds: 2 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + volumeMounts: + {{- if and .Values.proxySettings.PROXY_ENABLED .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} + - name: proxy-ca-cert + mountPath: /proxy-certs + readOnly: true + {{- end }} + {{- if .Values.tls.enable }} + - name: helm-tls-certs + mountPath: /root/.helm + readOnly: true + {{- if .Values.tls.verify }} + - name: helm-tls-ca + mountPath: /root/.helm/ca.crt + readOnly: true + {{- end }} + {{- end }} + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: webhook-certs + readOnly: true + {{- if .Values.securityContext }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} + resources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 10m + memory: 10Mi + initContainers: + - name: webhook-init + image: {{ .Values.registry }}/{{ index .Values "operator-webhook-init" "repository" }}:{{ .Values.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.securityContext }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} + {{- if .Values.proxySettings.PROXY_ENABLED }} + envFrom: + - secretRef: + name: {{ template "k8s-triliovault-operator.fullname" . }}-proxy + {{- end }} + env: + {{- if .Values.proxySettings.PROXY_ENABLED }} + - name: PROXY_SETTINGS_SECRET + value: {{ template "k8s-triliovault-operator.fullname" . }}-proxy + {{- if .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} + - name: PROXY_CA_CONFIGMAP + value: {{ .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} + {{- end }} + {{- end }} + - name: TVK_ENV + value: {{ .Values.tvkEnv }} + - name: TVK_HELM_REPO + value: {{ .Values.tvkHelmRepo }} + - name: RELEASE_VERSION + value: {{ .Chart.AppVersion }} + - name: ADMISSION_MUTATION_CONFIG + value: {{ template "k8s-triliovault-operator.name" . }}-mutating-webhook-configuration + - name: ADMISSION_VALIDATION_CONFIG + value: {{ template "k8s-triliovault-operator.name" . }}-validating-webhook-configuration + - name: NAMESPACE_VALIDATION_CONFIG + value: {{ template "k8s-triliovault-operator.name" . }}-ns-validating-webhook-configuration + - name: WEBHOOK_SERVICE + value: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-service + - name: WEBHOOK_NAMESPACE + value: {{ .Release.Namespace }} + - name: SECRET_NAME + value: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-certs + {{- if and .Values.proxySettings.PROXY_ENABLED .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} + volumeMounts: + - name: proxy-ca-cert + mountPath: /proxy-certs + readOnly: true + {{- end }} + serviceAccountName: {{ template "k8s-triliovault-operator.fullname" . }}-service-account + {{- if .Values.nodeSelector }} + nodeSelector: {{- .Values.nodeSelector | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: + {{- toYaml .Values.affinity | nindent 8 }} + {{- end }} + volumes: + {{- if and .Values.proxySettings.PROXY_ENABLED .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} + - name: proxy-ca-cert + configMap: + name: {{ .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} + {{- end }} + {{- if .Values.tls.enable }} + - name: helm-tls-certs + secret: + secretName: {{ .Values.tls.secretName }} + defaultMode: 0400 + {{- if .Values.tls.verify }} + - name: helm-tls-ca + configMap: + name: {{ template "helm-operator.fullname" . }}-helm-tls-ca-config + defaultMode: 0600 + {{- end }} + {{- end }} + - name: webhook-certs + secret: + defaultMode: 420 + secretName: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-certs diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/mutating-webhook.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/mutating-webhook.yaml new file mode 100644 index 000000000..692feec4e --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/mutating-webhook.yaml @@ -0,0 +1,31 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ template "k8s-triliovault-operator.name" . }}-mutating-webhook-configuration + labels: + app.kubernetes.io/part-of: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/name: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }}-mutating-webhook-configuration + app.kubernetes.io/managed-by: {{ .Release.Service }} +webhooks: +- clientConfig: + caBundle: Cg== + service: + name: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-service + namespace: {{ .Release.Namespace }} + path: /mutate-triliovault-trilio-io-v1-triliovaultmanager + failurePolicy: Fail + name: v1-tvm-mutation.trilio.io + rules: + - apiGroups: + - triliovault.trilio.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - triliovaultmanagers + sideEffects: None + admissionReviewVersions: + - v1 diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/ns-validating-webhook.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/ns-validating-webhook.yaml new file mode 100644 index 000000000..f0e0618e2 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/ns-validating-webhook.yaml @@ -0,0 +1,37 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ template "k8s-triliovault-operator.name" . }}-ns-validating-webhook-configuration + labels: + app.kubernetes.io/part-of: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/name: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }}-ns-validating-webhook-configuration + app.kubernetes.io/managed-by: {{ .Release.Service }} +webhooks: +- clientConfig: + caBundle: Cg== + service: + name: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-service + namespace: {{ .Release.Namespace }} + path: /validate-core-v1-namespace + failurePolicy: Fail + name: v1-tvm-ns-validation.trilio.io + namespaceSelector: + matchExpressions: + - key: trilio-operator-label + operator: In + values: + - {{ .Release.Namespace }} + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - DELETE + resources: + - namespaces + scope: '*' + sideEffects: None + admissionReviewVersions: + - v1 diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/proxyConfig.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/proxyConfig.yaml new file mode 100644 index 000000000..99725af36 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/proxyConfig.yaml @@ -0,0 +1,21 @@ +{{- if .Values.proxySettings.PROXY_ENABLED }} + {{ template "k8s-triliovault-operator.caBundleValidation" . }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "k8s-triliovault-operator.fullname" . }}-proxy + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/part-of: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/name: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }}-proxy + app.kubernetes.io/managed-by: {{ .Release.Service }} +data: + {{- range $key, $val := .Values.proxySettings }} + {{ $val = $val| toString | b64enc }} + {{- if $val -}} + {{ $key }}: {{ $val }} + {{- end -}} + {{- end }} +type: Opaque +{{- end }} diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/secret.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/secret.yaml new file mode 100644 index 000000000..782140c5a --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/secret.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-certs + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/part-of: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/name: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }}-webhook-certs + app.kubernetes.io/managed-by: {{ .Release.Service }} +type: Opaque diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/serviceAccount.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/serviceAccount.yaml new file mode 100644 index 000000000..4c51e5fa4 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/serviceAccount.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "k8s-triliovault-operator.fullname" . }}-service-account + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/part-of: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/name: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }}-service-account + app.kubernetes.io/managed-by: {{ .Release.Service }} diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/validating-webhook.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/validating-webhook.yaml new file mode 100644 index 000000000..c66b6a429 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/validating-webhook.yaml @@ -0,0 +1,31 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ template "k8s-triliovault-operator.name" . }}-validating-webhook-configuration + labels: + app.kubernetes.io/part-of: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/name: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }}-validating-webhook-configuration + app.kubernetes.io/managed-by: {{ .Release.Service }} +webhooks: +- clientConfig: + caBundle: Cg== + service: + name: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-service + namespace: {{ .Release.Namespace }} + path: /validate-triliovault-trilio-io-v1-triliovaultmanager + failurePolicy: Fail + name: v1-tvm-validation.trilio.io + rules: + - apiGroups: + - triliovault.trilio.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - triliovaultmanagers + sideEffects: None + admissionReviewVersions: + - v1 diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/webhook-service.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/webhook-service.yaml new file mode 100644 index 000000000..bed6993c7 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/templates/webhook-service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-service + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "k8s-triliovault-operator.fullname" . }} + release: "{{ .Release.Name }}" + app.kubernetes.io/part-of: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/name: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }}-webhook-service + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + app: {{ template "k8s-triliovault-operator.fullname" . }} + release: "{{ .Release.Name }}" diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/values.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/values.yaml new file mode 100644 index 000000000..e40b79b75 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.6.700/values.yaml @@ -0,0 +1,76 @@ +## TrilioVault Operator +registry: "eu.gcr.io/amazing-chalice-243510" + +operator-webhook-init: + repository: operator-webhook-init + +k8s-triliovault-operator: + repository: k8s-triliovault-operator + +tag: "2.6.7" + +tvkHelmRepo: "" + +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + +image: + pullPolicy: Always +tls: + secretName: "helm-client-certs" + verify: false + enable: false + keyFile: "tls.key" + certFile: "tls.crt" + caContent: "" + hostname: "" + +nameOverride: "" + +replicaCount: 1 + +proxySettings: + PROXY_ENABLED: false + NO_PROXY: "" + HTTP_PROXY: "" + HTTPS_PROXY: "" + CA_BUNDLE_CONFIGMAP: "" + +podSpec: + hostIPC: false + hostNetwork: false + hostPID: false + securityContext: + runAsNonRoot: true + runAsUser: 1001 + +securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + +installTVK: + enabled: true + applicationScope: Cluster + ingressConfig: + host: "" + tlsSecretName: "" + annotations: {} + ingressClass: "" + ComponentConfiguration: + ingressController: + enabled: true + service: + type: LoadBalancer diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/.helmignore b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/.helmignore new file mode 100644 index 000000000..be86b789d --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# Helm files +OWNERS diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/Chart.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/Chart.yaml new file mode 100644 index 000000000..7a908b76b --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/Chart.yaml @@ -0,0 +1,18 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: TrilioVault for Kubernetes Operator + catalog.cattle.io/release-name: k8s-triliovault-operator +apiVersion: v1 +appVersion: 2.7.0 +description: K8s-TrilioVault-Operator is an operator designed to manage the K8s-TrilioVault + Application Lifecycle. +home: https://github.com/trilioData/k8s-triliovault-operator +icon: https://www.trilio.io/wp-content/uploads/2021/01/Trilio-2020-logo-RGB-gray-green.png +kubeVersion: '>=1.18.0-0' +maintainers: +- email: prafull.ladha@trilio.io + name: prafull11 +name: k8s-triliovault-operator +sources: +- https://github.com/trilioData/k8s-triliovault-operator +version: 2.7.0 diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/LICENSE b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/LICENSE new file mode 100644 index 000000000..76b559d3b --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/LICENSE @@ -0,0 +1 @@ +# Placeholder for the License if we decide to provide one diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/README.md b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/README.md new file mode 100644 index 000000000..b5d8320d5 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/README.md @@ -0,0 +1,159 @@ +# K8s-TrilioVault-Operator +This operator is to manage the lifecycle of TrilioVault Backup/Recovery solution. This operator install, updates and manage the TrilioVault application. + +## Introduction + +## Prerequisites + +- Kubernetes 1.18+ +- PV provisioner support +- CSI driver should be installed + +### One Click Installation + +In one click install for upstream operator, a cluster scope TVM custom resource `triliovault-manager` is created. + +```shell script +helm repo add trilio-vault-operator https://charts.k8strilio.net/trilio-stable/k8s-triliovault-operator +helm install tvm trilio-vault-operator/k8s-triliovault-operator +``` + +#### One click install Configuration + +The following table lists the configuration parameter of the upstream operator one click install feature and their +default values. + +| Parameter | Description | Default +| --------- | ----------- | ------- +| `installTVK.enabled` | 1 click install feature is enabled | true +| `installTVK.applicationScope` | scope of TVK application created | Cluster +| `installTVK.ingressConfig.host` | host of the ingress resource created | "" +| `installTVK.ingressConfig.tlsSecretName` | tls secret name which contains ingress certs | "" +| `installTVK.ingressConfig.annotations` | annotations to be added on ingress resource | "" +| `installTVK.ingressConfig.ingressClass` | ingress class name for the ingress resource | "" +| `installTVK.ComponentConfiguration.ingressController.enabled` | TVK ingress controller should be deployed | true +| `installTVK.ComponentConfiguration.ingressController.service.type` | TVK ingress controller service type | "LoadBalancer" + +Check the TVM CR configuration by running following command: + +``` +kubectl get triliovaultmanagers.triliovault.trilio.io triliovault-manager -o yaml +``` + +Once the operator pod is in running state, the TVK pods getting spawned. Confirm the [TVK pods are up](#Check-TVK-Install). + +## Manual Installation + +To install the operator on local setup just run the latest helm charts inside this repo + +```shell script +helm repo add trilio-vault-operator https://charts.k8strilio.net/trilio-stable/k8s-triliovault-operator +helm install tvm trilio-vault-operator/k8s-triliovault-operator +``` + +Now, create a TrilioVaultManager CR to install the TrilioVault for Kubernetes. You can provide the custom configurations for the TVK resources as follows: + +``` +apiVersion: triliovault.trilio.io/v1 +kind: TrilioVaultManager +metadata: + labels: + triliovault: k8s + name: tvk +spec: + trilioVaultAppVersion: latest + applicationScope: Cluster + # User can configure the ingress hosts, annotations and TLS secret through the ingressConfig section + ingressConfig: + host: "trilio.co.in" + tlsSecretName: "secret-name" + # TVK components configuration, currently supports control-plane, web, exporter, web-backend, ingress-controller, admission-webhook. + # User can configure resources for all componentes and can configure service type and host for the ingress-controller + componentConfiguration: + web-backend: + resources: + requests: + memory: "400Mi" + cpu: "200m" + limits: + memory: "2584Mi" + cpu: "1000m" + ingress-controller: + enabled: true + service: + type: LoadBalancer +``` + +### Apply the Custom Resource + +Apply `TVM.yaml`: + +```shell +kubectl create -f TVM.yaml +``` + +### Check TVK Install + +Check that the pods were created: + +``` +kubectl get pods +``` + +``` +NAME READY STATUS RESTARTS AGE +k8s-triliovault-admission-webhook-6ff5f98c8-qwmfc 1/1 Running 0 81s +k8s-triliovault-backend-6f66b6b8d5-gxtmz 1/1 Running 0 81s +k8s-triliovault-control-plane-6c464c5d78-ftk6g 1/1 Running 0 81s +k8s-triliovault-exporter-59566f97dd-gs4xc 1/1 Running 0 81s +k8s-triliovault-ingress-nginx-controller-867c764cd5-qhpx6 1/1 Running 0 18s +k8s-triliovault-web-967c8475-m7pc6 1/1 Running 0 81s +tvm-k8s-triliovault-operator-66bd7d86d5-dvhzb 1/1 Running 0 6m48s +``` + +Check that ingress controller service is of type LoadBalancer: +``` +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +k8s-triliovault-admission-webhook ClusterIP 10.7.243.24 443/TCP 129m +k8s-triliovault-ingress-nginx-controller LoadBalancer 10.7.246.193 35.203.155.148 80:30362/TCP,443:32327/TCP 129m +k8s-triliovault-ingress-nginx-controller-admission ClusterIP 10.7.250.31 443/TCP 129m +k8s-triliovault-web ClusterIP 10.7.254.41 80/TCP 129m +k8s-triliovault-web-backend ClusterIP 10.7.252.146 80/TCP 129m +tvm-k8s-triliovault-operator-webhook-service ClusterIP 10.7.248.163 443/TCP 130m 123m +``` + +Check that ingress resources has the host defined by the user: +``` +NAME CLASS HOSTS ADDRESS PORTS AGE +k8s-triliovault k8s-triliovault-default-nginx * 35.203.155.148 80 129m +``` + +You can access the TVK UI by hitting this address in your browser: https://35.203.155.148 + +## Delete + +```shell +kubectl delete -f TVM.yaml +``` + +## Uninstall + +To uninstall/delete the operator helm chart : + +```bash +helm uninstall tvm +``` + +## TrilioVaultManager compatibility + +The following table captures the compatibility matrix of the TrilioVault Manager against TVK: + +| TVM Version | TVK 2.5.2 | TVK 2.5.1 | TVK 2.5.0 | TVK 2.1.0 | TVK 2.0.5 | TVK 2.0.4 | TVK 2.0.3 | TVK 2.0.2 | TVK 2.0.1 | +|-------------|-----------|-----------|-----------|-----------|-----------|-----------|-----------|-----------|-----------| +| 2.5.2 | yes | yes | yes | yes | yes | yes | yes | yes | yes | +| 2.5.0 | no | yes | yes | yes | yes | yes | yes | yes | yes | +| v2.1.0 | no | no | no | yes | yes | yes | yes | yes | yes | +| v2.0.5 | no | no | no | yes | yes | yes | yes | yes | yes | +| v2.0.2 | no | no | no | yes | yes | yes | yes | yes | yes | +| v2.0.1 | no | no | no | yes | yes | yes | yes | yes | yes | +| v2.0.0 | no | no | no | yes | yes | yes | yes | yes | yes | diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/crds/triliovault.trilio.io_triliovaultmanagers.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/crds/triliovault.trilio.io_triliovaultmanagers.yaml new file mode 100644 index 000000000..22e62d8ef --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/crds/triliovault.trilio.io_triliovaultmanagers.yaml @@ -0,0 +1,1183 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + name: triliovaultmanagers.triliovault.trilio.io +spec: + group: triliovault.trilio.io + names: + kind: TrilioVaultManager + listKind: TrilioVaultManagerList + plural: triliovaultmanagers + shortNames: + - tvm + singular: triliovaultmanager + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.trilioVaultAppVersion + name: TrilioVault-Version + type: string + - jsonPath: .spec.applicationScope + name: Scope + type: string + - jsonPath: .status.conditions.type + name: Status + type: string + - jsonPath: .spec.restoreNamespaces + name: Restore-Namespaces + type: string + name: v1 + schema: + openAPIV3Schema: + description: TrilioVaultManager is the Schema for the triliovaultmanagers + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TrilioVaultManagerSpec defines the desired state of TrilioVaultManager + properties: + affinity: + description: The scheduling constraints on application pods. + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the + pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the affinity expressions specified by + this field, but it may choose a node that violates one or + more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node matches + the corresponding matchExpressions; the node(s) with the + highest sum are the most preferred. + items: + description: An empty preferred scheduling term matches + all objects with implicit weight 0 (i.e. it's a no-op). + A null preferred scheduling term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: A node selector term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with matching the corresponding + nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to an update), the system may or may not try to + eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: A null or empty node selector term matches + no objects. The requirements of them are ANDed. The + TopologySelectorTerm type implements a subset of the + NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate + this pod in the same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the affinity expressions specified by + this field, but it may choose a node that violates one or + more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node has + pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. This field is beta-level + and is only honored when PodAffinityNamespaceSelector + feature is enabled. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to a pod label update), the system may or may + not try to eventually evict the pod from its node. When + there are multiple elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, i.e. all terms + must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of + pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied to the + union of the namespaces selected by this field and + the ones listed in the namespaces field. null selector + and null or empty namespaces list means "this pod's + namespace". An empty selector ({}) matches all namespaces. + This field is beta-level and is only honored when + PodAffinityNamespaceSelector feature is enabled. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list of namespace + names that the term applies to. The term is applied + to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. null or + empty namespaces list and null namespaceSelector means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of + any node on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. + avoid putting this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the anti-affinity expressions specified + by this field, but it may choose a node that violates one + or more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node has + pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. This field is beta-level + and is only honored when PodAffinityNamespaceSelector + feature is enabled. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the anti-affinity requirements + specified by this field cease to be met at some point during + pod execution (e.g. due to a pod label update), the system + may or may not try to eventually evict the pod from its + node. When there are multiple elements, the lists of nodes + corresponding to each podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of + pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied to the + union of the namespaces selected by this field and + the ones listed in the namespaces field. null selector + and null or empty namespaces list means "this pod's + namespace". An empty selector ({}) matches all namespaces. + This field is beta-level and is only honored when + PodAffinityNamespaceSelector feature is enabled. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list of namespace + names that the term applies to. The term is applied + to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. null or + empty namespaces list and null namespaceSelector means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of + any node on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + applicationScope: + description: Scope for the application which will be installed in + the cluster NamespaceScope or ClusterScope + enum: + - Cluster + - Namespaced + type: string + componentConfiguration: + description: ComponentConfiguration holds all the field related to + components. + properties: + admission-webhook: + description: AdmissionWebhook holds all configuration keys related + to admission-webhook + type: object + x-kubernetes-preserve-unknown-fields: true + control-plane: + description: ControlPlane holds all configuration keys related + to control-plane + type: object + x-kubernetes-preserve-unknown-fields: true + exporter: + description: Exporter holds all configuration keys related to + exporter + type: object + x-kubernetes-preserve-unknown-fields: true + ingress-controller: + description: IngressController holds all configuration keys related + to ingress-controller + type: object + x-kubernetes-preserve-unknown-fields: true + web: + description: Web holds all configuration keys related to web + type: object + x-kubernetes-preserve-unknown-fields: true + web-backend: + description: WebBackend holds all configuration keys related to + web-backend + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + dataJobLimits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Deprecated: DataJobLimits are the resource limits for + all the data processing jobs.' + type: object + dataJobResources: + description: DataJobResources is the resource limits & requests for + all the data processing jobs. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources + allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + deploymentLimits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: DeploymentLimits are the resource limits for all the + deployments. + type: object + helmValues: + description: HelmValues holds all the additional fields in the values.yaml + of TVK helm chart. + type: object + x-kubernetes-preserve-unknown-fields: true + helmVersion: + description: 'Deprecated: Helm Version' + properties: + tillerNamespace: + type: string + version: + enum: + - v3 + type: string + required: + - version + type: object + ingressConfig: + description: IngressConfig holds field related to ingress + properties: + annotations: + additionalProperties: + type: string + type: object + host: + type: string + ingressClass: + type: string + tlsSecretName: + type: string + type: object + metadataJobLimits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Deprecated: MetadataJobLimits are the resource limits + for all the meta processing jobs.' + type: object + metadataJobResources: + description: MetadataJobResources is the resource limits & requests + for all the meta processing jobs. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources + allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: NodeSelector specifies a map of key-value pairs. For + the pod to be eligible to run on a node, the node must have each + of the indicated key-value pairs as labels. + type: object + resources: + description: 'Deprecated: Resources are the resource requirements + for the containers.' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources + allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + restoreNamespaces: + description: 'Deprecated: RestoreNamespaces are the namespace where + you want to restore your applications. Restore Namespaces depends + on your k8s RBAC' + items: + type: string + type: array + tolerations: + description: The toleration of application against the specific taints + on the nodes + items: + description: The pod this Toleration is attached to tolerates any + taint that matches the triple using the matching + operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match all + values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the + value. Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod + can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time + the toleration (which must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever (do not + evict). Zero and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + trilioVaultAppVersion: + description: Helm Chart version + type: string + required: + - applicationScope + type: object + status: + description: TrilioVaultManagerStatus defines the observed state of TrilioVaultManager + properties: + conditions: + properties: + lastTransitionTime: + format: date-time + nullable: true + type: string + message: + minLength: 0 + type: string + reason: + enum: + - InstallSuccessful + - UpdateSuccessful + - UninstallSuccessful + - InstallError + - UpdateError + - ReconcileError + - UninstallError + type: string + status: + enum: + - "True" + - "False" + - Unknown + type: string + type: + enum: + - Initialized + - Deployed + - Updated + - ReleaseFailed + - Irreconcilable + type: string + type: object + deployedRelease: + properties: + manifest: + type: string + name: + type: string + type: object + releaseVersion: + type: string + required: + - conditions + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/NOTES.txt b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/NOTES.txt new file mode 100644 index 000000000..3a153ce9b --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/NOTES.txt @@ -0,0 +1,59 @@ +TrilioVault Operator is a helm based operator which install/upgrade/delete the helm Chart of the TrilioVault For Kubernetes. +This operator watches over the entire helm application of TrilioVault for Kubernetes and has self-healing capabilities. + +To verify that TrilioVault Operator has started, run: + + kubectl --namespace={{ .Release.Namespace }} wait --for=condition=ready pod -l "release={{ .Release.Name }}" + +{{ if .Values.installTVK.enabled }} +In one click install, a cluster scope TVM custom resource triliovault-manager is created, you can check its +configuration by running following command: + + kubectl --namespace {{ .Release.Namespace }} get triliovaultmanagers.triliovault.trilio.io triliovault-manager -o yaml + +{{- else }} + +Once the Triliovault operator is in running state, you can create the TrilioVault for Kubernetes(TVK) with the +following custom resource: + + apiVersion: triliovault.trilio.io/v1 + kind: TrilioVaultManager + metadata: + labels: + app: triliovault + name: triliovault-manager + namespace: {{ .Release.Namespace }} + spec: + trilioVaultAppVersion: latest + applicationScope: Cluster + ingressConfig: + host: "" + componentConfiguration: + ingress-controller: + enabled: true + service: + type: LoadBalancer + +Once the above CR has been created, you have to wait for the TVK pods to come up. +{{- end }} + +To check all the TVK pods come into running state, run: + + kubectl --namespace {{ .Release.Namespace }} wait --for=condition=ready pod -l "release=triliovault-manager-{{ .Release.Namespace }}" + +Once all the pods are in running state, you can access the TVK UI from your browser using following steps: + +{{- if .Values.installTVK.enabled }} +{{- if eq .Values.installTVK.ComponentConfiguration.ingressController.service.type "LoadBalancer" }} + 1. Find the external IP of the service `k8s-triliovault-ingress-nginx-controller` + 2. Hit the URL in browser: https:// +{{- else }} + 1. Find the NodePort from the service `k8s-triliovault-ingress-nginx-controller` + 2. Hit the URL in browser with NodePort: https://:/ +{{- end }} +{{- end }} + +For more details on how to access the TVK UI, follow this guide: https://docs.trilio.io/kubernetes/management-console/user-interface/accessing-the-ui + +You can start backup and restore of your application using TVK. For more details on how to do that, please follow our +getting started guide: https://docs.trilio.io/kubernetes/getting-started/getting-started-1 diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/TVMCustomResource.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/TVMCustomResource.yaml new file mode 100644 index 000000000..8069039bd --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/TVMCustomResource.yaml @@ -0,0 +1,41 @@ +{{- if .Values.installTVK.enabled }} +{{- if not (lookup "triliovault.trilio.io/v1" "TrilioVaultManager" "" "").items }} + {{template "k8s-triliovault-operator.tlsSecretValidation" .}} +apiVersion: triliovault.trilio.io/v1 +kind: TrilioVaultManager +metadata: + name: "triliovault-manager" + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-install +spec: + {{- if eq .Chart.Version "0.1.0" }} + trilioVaultAppVersion: latest + {{- else}} + trilioVaultAppVersion: {{ .Chart.AppVersion }} + {{- end }} + applicationScope: {{ .Values.installTVK.applicationScope }} + # User can configure the ingress hosts, annotations and TLS secret through the ingressConfig section + ingressConfig: + {{- if and (gt (len .Values.installTVK.ingressConfig.annotations) 0) (not .Values.installTVK.ComponentConfiguration.ingressController.enabled) }} + annotations: + {{- range $key, $value := .Values.installTVK.ingressConfig.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end -}} + {{- end }} + host: {{ .Values.installTVK.ingressConfig.host | quote }} + {{- if not .Values.installTVK.ComponentConfiguration.ingressController.enabled }} + ingressClass: {{ .Values.installTVK.ingressConfig.ingressClass | quote }} + {{- end }} + {{- if .Values.installTVK.ingressConfig.tlsSecretName }} + tlsSecretName: {{ .Values.installTVK.ingressConfig.tlsSecretName | quote }} + {{- end }} + # TVK components configuration, currently supports control-plane, web, exporter, web-backend, ingress-controller, admission-webhook. + # User can configure resources for all componentes and can configure service type and host for the ingress-controller + componentConfiguration: + ingress-controller: + enabled: {{ .Values.installTVK.ComponentConfiguration.ingressController.enabled }} + service: + type: {{ .Values.installTVK.ComponentConfiguration.ingressController.service.type }} +{{- end -}} +{{- end -}} diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/_helpers.tpl b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/_helpers.tpl new file mode 100644 index 000000000..46d123feb --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/_helpers.tpl @@ -0,0 +1,66 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "k8s-triliovault-operator.name" -}} +{{- default .Release.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "k8s-triliovault-operator.appName" -}} +{{- printf "%s" .Chart.Name -}} +{{- end -}} + + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "k8s-triliovault-operator.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper TrilioVault Operator image name +*/}} +{{- define "k8s-triliovault-operator.image" -}} +{{- $registryName := .Values.image.registry -}} +{{- $repositoryName := .Values.image.repository -}} +{{- $tag := .Values.image.tag | toString -}} +{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} + +{{/* +Validation of the secret of CA bundle if provided +*/}} +{{- define "k8s-triliovault-operator.caBundleValidation" -}} +{{- if .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} +{{- if not (lookup "v1" "ConfigMap" .Release.Namespace .Values.proxySettings.CA_BUNDLE_CONFIGMAP) }} + {{ fail "Proxy CA bundle proxy is not present in the release namespace" }} +{{- else }} + {{- $caMap := (lookup "v1" "ConfigMap" .Release.Namespace .Values.proxySettings.CA_BUNDLE_CONFIGMAP).data }} + {{- if not (get $caMap "ca-bundle.crt") }} + {{ fail "Proxy CA certificate file key should be ca-bundle.crt" }} + {{- end }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* +Validation for the ingress tlsSecret, should exists if provided +*/}} + +{{- define "k8s-triliovault-operator.tlsSecretValidation" }} +{{- if .Values.installTVK.ingressConfig.tlsSecretName -}} +{{- if not (lookup "v1" "Secret" .Release.Namespace .Values.installTVK.ingressConfig.tlsSecretName ) -}} + {{ fail "Ingress tls secret is not present in the release namespace" }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/clusterrole.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/clusterrole.yaml new file mode 100644 index 000000000..a6208e049 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/clusterrole.yaml @@ -0,0 +1,133 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{template "k8s-triliovault-operator.name" .}}-{{.Release.Namespace}}-manager-role + labels: + app.kubernetes.io/part-of: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/name: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/instance: {{template "k8s-triliovault-operator.appName" .}}-manager-role + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - update + - delete + - patch + - apiGroups: + - "" + resources: + - serviceaccounts + - services + - services/finalizers + - secrets + - events + - pods + - endpoints + - configmaps + verbs: + - create + - update + - delete + - patch + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + - mutatingwebhookconfigurations + verbs: + - create + - update + - delete + - patch + - apiGroups: + - apps + resources: + - deployments + verbs: + - create + - update + - delete + - patch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + - roles + - rolebindings + verbs: + - create + - update + - delete + - patch + - bind + - escalate + - apiGroups: + - triliovault.trilio.io + resources: + - '*' + verbs: + - '*' + - apiGroups: + - "" + resources: + - namespaces + verbs: + - update + - apiGroups: + - batch + resources: + - cronjobs + verbs: + - delete + - apiGroups: + - batch + resources: + - jobs + verbs: + - create + - delete + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - update + - patch + - delete + - apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingressclasses + verbs: + - create + - patch + - update + - delete + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - delete diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/clusterrole_binding.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/clusterrole_binding.yaml new file mode 100644 index 000000000..49d5655f6 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/clusterrole_binding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "k8s-triliovault-operator.name" . }}-{{ .Release.Namespace }}-manager-rolebinding + labels: + app.kubernetes.io/part-of: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/name: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }}-manager-rolebinding + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "k8s-triliovault-operator.name" . }}-{{ .Release.Namespace }}-manager-role +subjects: +- kind: ServiceAccount + name: {{ template "k8s-triliovault-operator.fullname" . }}-service-account + namespace: {{ .Release.Namespace }} diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/deployment.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/deployment.yaml new file mode 100644 index 000000000..580f5774e --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/deployment.yaml @@ -0,0 +1,202 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "k8s-triliovault-operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "k8s-triliovault-operator.fullname" . }} + release: "{{ .Release.Name }}" + app.kubernetes.io/part-of: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/name: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + selector: + matchLabels: + app: {{ template "k8s-triliovault-operator.fullname" . }} + release: "{{ .Release.Name }}" + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + app: {{ template "k8s-triliovault-operator.fullname" . }} + release: "{{ .Release.Name }}" + app.kubernetes.io/part-of: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/name: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + spec: + hostNetwork: {{ .Values.podSpec.hostNetwork }} + hostIPC: {{ .Values.podSpec.hostIPC }} + hostPID: {{ .Values.podSpec.hostPID }} + {{- if .Values.securityContext }} + securityContext: + {{- toYaml .Values.podSpec.securityContext | nindent 8 }} + {{- end }} + containers: + - name: k8s-triliovault-operator + image: {{ .Values.registry }}/{{ index .Values "k8s-triliovault-operator" "repository" }}:{{ .Values.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.proxySettings.PROXY_ENABLED }} + envFrom: + - secretRef: + name: {{ template "k8s-triliovault-operator.fullname" . }}-proxy + {{- end }} + env: + {{- if .Values.proxySettings.PROXY_ENABLED }} + - name: PROXY_SETTINGS_SECRET + value: {{ template "k8s-triliovault-operator.fullname" . }}-proxy + {{- if .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} + - name: PROXY_CA_CONFIGMAP + value: {{ .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} + {{- end }} + {{- end }} + {{- if .Values.tvkEnv }} + - name: TVK_ENV + value: {{ .Values.tvkEnv }} + {{- end}} + {{- if .Values.tvkHelmRepo }} + - name: TVK_HELM_REPO + value: {{ .Values.tvkHelmRepo }} + {{- end }} + - name: INSTALL_NAMESPACE + value: {{ .Release.Namespace }} + - name: REGISTRY + value: {{ .Values.registry }} + - name: ADMISSION_MUTATION_CONFIG + value: {{ template "k8s-triliovault-operator.name" . }}-mutating-webhook-configuration + - name: ADMISSION_VALIDATION_CONFIG + value: {{ template "k8s-triliovault-operator.name" . }}-validating-webhook-configuration + - name: NAMESPACE_VALIDATION_CONFIG + value: {{ template "k8s-triliovault-operator.name" . }}-ns-validating-webhook-configuration + livenessProbe: + httpGet: + path: /healthz + port: 8081 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 30 + timeoutSeconds: 2 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + volumeMounts: + {{- if and .Values.proxySettings.PROXY_ENABLED .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} + - name: proxy-ca-cert + mountPath: /proxy-certs + readOnly: true + {{- end }} + {{- if .Values.tls.enable }} + - name: helm-tls-certs + mountPath: /root/.helm + readOnly: true + {{- if .Values.tls.verify }} + - name: helm-tls-ca + mountPath: /root/.helm/ca.crt + readOnly: true + {{- end }} + {{- end }} + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: webhook-certs + readOnly: true + {{- if .Values.securityContext }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} + resources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 10m + memory: 10Mi + initContainers: + - name: webhook-init + image: {{ .Values.registry }}/{{ index .Values "operator-webhook-init" "repository" }}:{{ .Values.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.securityContext }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} + {{- if .Values.proxySettings.PROXY_ENABLED }} + envFrom: + - secretRef: + name: {{ template "k8s-triliovault-operator.fullname" . }}-proxy + {{- end }} + env: + {{- if .Values.proxySettings.PROXY_ENABLED }} + - name: PROXY_SETTINGS_SECRET + value: {{ template "k8s-triliovault-operator.fullname" . }}-proxy + {{- if .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} + - name: PROXY_CA_CONFIGMAP + value: {{ .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} + {{- end }} + {{- end }} + - name: TVK_ENV + value: {{ .Values.tvkEnv }} + - name: TVK_HELM_REPO + value: {{ .Values.tvkHelmRepo }} + - name: RELEASE_VERSION + value: {{ .Chart.AppVersion }} + - name: ADMISSION_MUTATION_CONFIG + value: {{ template "k8s-triliovault-operator.name" . }}-mutating-webhook-configuration + - name: ADMISSION_VALIDATION_CONFIG + value: {{ template "k8s-triliovault-operator.name" . }}-validating-webhook-configuration + - name: NAMESPACE_VALIDATION_CONFIG + value: {{ template "k8s-triliovault-operator.name" . }}-ns-validating-webhook-configuration + - name: WEBHOOK_SERVICE + value: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-service + - name: WEBHOOK_NAMESPACE + value: {{ .Release.Namespace }} + - name: SECRET_NAME + value: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-certs + {{- if and .Values.proxySettings.PROXY_ENABLED .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} + volumeMounts: + - name: proxy-ca-cert + mountPath: /proxy-certs + readOnly: true + {{- end }} + serviceAccountName: {{ template "k8s-triliovault-operator.fullname" . }}-service-account + {{- if .Values.nodeSelector }} + nodeSelector: {{- .Values.nodeSelector | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: + {{- toYaml .Values.affinity | nindent 8 }} + {{- end }} + volumes: + {{- if and .Values.proxySettings.PROXY_ENABLED .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} + - name: proxy-ca-cert + configMap: + name: {{ .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} + {{- end }} + {{- if .Values.tls.enable }} + - name: helm-tls-certs + secret: + secretName: {{ .Values.tls.secretName }} + defaultMode: 0400 + {{- if .Values.tls.verify }} + - name: helm-tls-ca + configMap: + name: {{ template "helm-operator.fullname" . }}-helm-tls-ca-config + defaultMode: 0600 + {{- end }} + {{- end }} + - name: webhook-certs + secret: + defaultMode: 420 + secretName: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-certs diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/mutating-webhook.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/mutating-webhook.yaml new file mode 100644 index 000000000..692feec4e --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/mutating-webhook.yaml @@ -0,0 +1,31 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ template "k8s-triliovault-operator.name" . }}-mutating-webhook-configuration + labels: + app.kubernetes.io/part-of: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/name: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }}-mutating-webhook-configuration + app.kubernetes.io/managed-by: {{ .Release.Service }} +webhooks: +- clientConfig: + caBundle: Cg== + service: + name: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-service + namespace: {{ .Release.Namespace }} + path: /mutate-triliovault-trilio-io-v1-triliovaultmanager + failurePolicy: Fail + name: v1-tvm-mutation.trilio.io + rules: + - apiGroups: + - triliovault.trilio.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - triliovaultmanagers + sideEffects: None + admissionReviewVersions: + - v1 diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/ns-validating-webhook.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/ns-validating-webhook.yaml new file mode 100644 index 000000000..f0e0618e2 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/ns-validating-webhook.yaml @@ -0,0 +1,37 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ template "k8s-triliovault-operator.name" . }}-ns-validating-webhook-configuration + labels: + app.kubernetes.io/part-of: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/name: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }}-ns-validating-webhook-configuration + app.kubernetes.io/managed-by: {{ .Release.Service }} +webhooks: +- clientConfig: + caBundle: Cg== + service: + name: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-service + namespace: {{ .Release.Namespace }} + path: /validate-core-v1-namespace + failurePolicy: Fail + name: v1-tvm-ns-validation.trilio.io + namespaceSelector: + matchExpressions: + - key: trilio-operator-label + operator: In + values: + - {{ .Release.Namespace }} + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - DELETE + resources: + - namespaces + scope: '*' + sideEffects: None + admissionReviewVersions: + - v1 diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/proxyConfig.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/proxyConfig.yaml new file mode 100644 index 000000000..99725af36 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/proxyConfig.yaml @@ -0,0 +1,21 @@ +{{- if .Values.proxySettings.PROXY_ENABLED }} + {{ template "k8s-triliovault-operator.caBundleValidation" . }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "k8s-triliovault-operator.fullname" . }}-proxy + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/part-of: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/name: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }}-proxy + app.kubernetes.io/managed-by: {{ .Release.Service }} +data: + {{- range $key, $val := .Values.proxySettings }} + {{ $val = $val| toString | b64enc }} + {{- if $val -}} + {{ $key }}: {{ $val }} + {{- end -}} + {{- end }} +type: Opaque +{{- end }} diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/secret.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/secret.yaml new file mode 100644 index 000000000..782140c5a --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/secret.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-certs + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/part-of: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/name: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }}-webhook-certs + app.kubernetes.io/managed-by: {{ .Release.Service }} +type: Opaque diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/serviceAccount.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/serviceAccount.yaml new file mode 100644 index 000000000..4c51e5fa4 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/serviceAccount.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "k8s-triliovault-operator.fullname" . }}-service-account + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/part-of: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/name: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }}-service-account + app.kubernetes.io/managed-by: {{ .Release.Service }} diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/validating-webhook.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/validating-webhook.yaml new file mode 100644 index 000000000..c66b6a429 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/validating-webhook.yaml @@ -0,0 +1,31 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ template "k8s-triliovault-operator.name" . }}-validating-webhook-configuration + labels: + app.kubernetes.io/part-of: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/name: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }}-validating-webhook-configuration + app.kubernetes.io/managed-by: {{ .Release.Service }} +webhooks: +- clientConfig: + caBundle: Cg== + service: + name: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-service + namespace: {{ .Release.Namespace }} + path: /validate-triliovault-trilio-io-v1-triliovaultmanager + failurePolicy: Fail + name: v1-tvm-validation.trilio.io + rules: + - apiGroups: + - triliovault.trilio.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - triliovaultmanagers + sideEffects: None + admissionReviewVersions: + - v1 diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/webhook-service.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/webhook-service.yaml new file mode 100644 index 000000000..bed6993c7 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/templates/webhook-service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-service + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "k8s-triliovault-operator.fullname" . }} + release: "{{ .Release.Name }}" + app.kubernetes.io/part-of: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/name: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }}-webhook-service + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + app: {{ template "k8s-triliovault-operator.fullname" . }} + release: "{{ .Release.Name }}" diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/values.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/values.yaml new file mode 100644 index 000000000..99871de5e --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.7.0/values.yaml @@ -0,0 +1,76 @@ +## TrilioVault Operator +registry: "eu.gcr.io/amazing-chalice-243510" + +operator-webhook-init: + repository: operator-webhook-init + +k8s-triliovault-operator: + repository: k8s-triliovault-operator + +tag: "2.7.0" + +tvkHelmRepo: "" + +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + +image: + pullPolicy: Always +tls: + secretName: "helm-client-certs" + verify: false + enable: false + keyFile: "tls.key" + certFile: "tls.crt" + caContent: "" + hostname: "" + +nameOverride: "" + +replicaCount: 1 + +proxySettings: + PROXY_ENABLED: false + NO_PROXY: "" + HTTP_PROXY: "" + HTTPS_PROXY: "" + CA_BUNDLE_CONFIGMAP: "" + +podSpec: + hostIPC: false + hostNetwork: false + hostPID: false + securityContext: + runAsNonRoot: true + runAsUser: 1001 + +securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + +installTVK: + enabled: true + applicationScope: Cluster + ingressConfig: + host: "" + tlsSecretName: "" + annotations: {} + ingressClass: "" + ComponentConfiguration: + ingressController: + enabled: true + service: + type: NodePort diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/Chart.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/Chart.yaml new file mode 100644 index 000000000..820268a4d --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/Chart.yaml @@ -0,0 +1,11 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NGINX Service Mesh + catalog.cattle.io/release-name: nginx-service-mesh +apiVersion: v2 +appVersion: 1.4.0 +description: NGINX Service Mesh +icon: https://raw.githubusercontent.com/nginxinc/nginx-service-mesh/master/helm-chart/chart-icon.png +kubeVersion: '>= 1.18-0' +name: nginx-service-mesh +version: 0.4.0 diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/README.md b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/README.md new file mode 100644 index 000000000..62bca1853 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/README.md @@ -0,0 +1,11 @@ +# NGINX Service Mesh + +Before deploying NGINX Service Mesh, see the [Platform Guide](https://docs.nginx.com/nginx-service-mesh/get-started/kubernetes-platform/) to ensure your environment is properly configured. If [Persistent Storage](https://docs.nginx.com/nginx-service-mesh/get-started/kubernetes-platform/persistent-storage/) is not configured in your cluster, set the `mTLS.persistentStorage` field to `off`. Verify that no other service meshes exist in your Kubernetes cluster. It is advised to install NGINX Service Mesh in a dedicated namespace. + +## Helm Installation and Configuration + +For information on the configuration options and installation process when using Helm with NGINX Service Mesh, see the [Installation Guide](https://docs.nginx.com/nginx-service-mesh/get-started/install-with-helm/). + +## Rancher users + +When deploying NGINX Service Mesh via the Rancher Apps and Marketplace, the Helm value `rancher` is set to `true` by default. This value causes Pods in the `cattle-*`, `ingress-nginx`, and `cert-manager` namespaces to be ignored by the automatic sidecar injection webhook. If this behavior is not desired, the `rancher` value can be set to `false`, or the `injector.nsm.nginx.com/auto-inject` label can be manually removed from these namespaces. diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/app-readme.md b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/app-readme.md new file mode 100644 index 000000000..309cb53d5 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/app-readme.md @@ -0,0 +1,21 @@ +# NGINX Service Mesh + +[NGINX Service Mesh](https://docs.nginx.com/nginx-service-mesh/) is a fully integrated lightweight service mesh that leverages a data plane powered by NGINX Plus to manage container traffic in Kubernetes environments. + +NGINX Service Mesh is supported in Rancher 2.5+ when deploying from the Apps and Marketplace. NGINX Service Mesh is not currently supported on k3s. + +## Enabling telemetry + +Telemetry can only be enabled by editing the configuration YAML directly in the Rancher UI. When installing NGINX Service Mesh, select the `Edit YAML` option. To enable telemetry, set the `tracing` object to `{}` and fill out the `telemetry` object. +The telemetry object expects a `samplerRatio`, and the `host` and `port` of your OTLP gRPC collector. +For example: + +```yaml +tracing: {} +telemetry: + samplerRatio: 0.01 + exporters: + otlp: + host: "my-otlp-collector-host" + port: 4317 +``` diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/chart-icon.png b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/chart-icon.png new file mode 100644 index 000000000..612ba3569 Binary files /dev/null and b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/chart-icon.png differ diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/grafana-dashboard-conf.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/grafana-dashboard-conf.yaml new file mode 100644 index 000000000..9ee1af722 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/grafana-dashboard-conf.yaml @@ -0,0 +1,11 @@ +apiVersion: 1 +providers: +- name: 'default' + orgId: 1 + folder: '' + type: file + disableDeletion: true + editable: true + options: + path: /var/lib/grafana/dashboards + homeDashboardId: nginx-mesh-top diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/grafana-datasources-conf.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/grafana-datasources-conf.yaml new file mode 100644 index 000000000..acce701bd --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/grafana-datasources-conf.yaml @@ -0,0 +1,12 @@ +apiVersion: 1 +datasources: +- name: prometheus + type: prometheus + access: proxy + orgId: 1 + url: http://{{ include "prometheus.address" . }} + isDefault: true + jsonData: + timeInterval: "5s" +version: 1 +editable: true diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/grafana-top-dashboard.json b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/grafana-top-dashboard.json new file mode 100644 index 000000000..d7a46b4f4 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/grafana-top-dashboard.json @@ -0,0 +1,697 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": true, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "links": [], + "panels": [ + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "prometheus", + "fieldConfig": { + "defaults": {}, + "overrides": [] + }, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 0 + }, + "id": 4, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(nginxplus_upstream_server_responses{code=~\"1xx|2xx\"}[30s])) / sum(irate(nginxplus_upstream_server_responses[30s]))", + "format": "time_series", + "interval": "5s", + "intervalFactor": 1, + "refId": "A" + } + ], + "thresholds": "", + "title": "GLOBAL SUCCESS RATE", + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "prometheus", + "fieldConfig": { + "defaults": {}, + "overrides": [] + }, + "format": "reqps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 6, + "w": 13, + "x": 8, + "y": 0 + }, + "id": 6, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(nginxplus_http_requests_total[30s]))", + "format": "time_series", + "interval": "5s", + "intervalFactor": 1, + "refId": "A" + } + ], + "thresholds": "", + "title": "GLOBAL REQUEST VOLUME", + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "prometheus", + "fieldConfig": { + "defaults": {}, + "overrides": [] + }, + "format": "none", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 21, + "y": 0 + }, + "id": 5, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": false + }, + "tableColumn": "", + "targets": [ + { + "expr": "count(nginxplus_http_requests_total)", + "format": "time_series", + "interval": "5s", + "intervalFactor": 1, + "refId": "A" + } + ], + "thresholds": "", + "title": "PODS MONITORED", + "type": "singlestat", + "valueFontSize": "200%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "prometheus", + "fieldConfig": { + "defaults": {}, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 6 + }, + "hiddenSeries": false, + "id": 2, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.3.4", + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "irate(nginxplus_http_requests_total[30s])", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Request Volume", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "reqps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "prometheus", + "fieldConfig": { + "defaults": {}, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 6 + }, + "hiddenSeries": false, + "id": 123124, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.3.4", + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(nginxplus_upstream_server_responses{code=~\"1xx|2xx\"}[30s])) by (app, version) / sum(irate(nginxplus_upstream_server_responses[30s])) by (app, version)", + "format": "time_series", + "instant": false, + "interval": "", + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Pod Success", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": null, + "description": "RSS used by NGINX Service Mesh sidecars", + "fieldConfig": { + "defaults": {}, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 15 + }, + "hiddenSeries": false, + "id": 123126, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.3.4", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "nginxplus_workers_mem_rss", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Sidecar Memory Usage (RSS)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": null, + "description": "Private memory used by NGINX Service Mesh sidecars", + "fieldConfig": { + "defaults": {}, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 15 + }, + "hiddenSeries": false, + "id": 123128, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.3.4", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "nginxplus_workers_mem_private", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Sidecar Memory Usage (Private)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 27, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "NGINX Mesh Top", + "uid": "N3zQ72OWk", + "version": 1 + } diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/grafana.ini b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/grafana.ini new file mode 100644 index 000000000..4e289e198 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/grafana.ini @@ -0,0 +1,15 @@ +instance_name = nginx-mesh-grafana + +[auth] +disable_login_form = true + +[auth.anonymous] +enabled = true +org_role = Admin + +[auth.basic] +enabled = false + +[analytics] +check_for_updates = false +Events: diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/k8s-workload-registrar.conf b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/k8s-workload-registrar.conf new file mode 100644 index 000000000..d95b67280 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/k8s-workload-registrar.conf @@ -0,0 +1,11 @@ +log_level = "debug" +trust_domain = {{ quote .Values.mtls.trustDomain }} +server_socket_path = "/run/spire/sockets/spire-registration.sock" +cluster = "nginx-mesh" +pod_controller = true +add_svc_dns_name = true +mode = "crd" +webhook_enabled = true +webhook_cert_dir = "/tmp/k8s-webhook-server/serving-certs" +identity_template_label = "spiffe.io/spiffeid" +dns_name_templates = ["{{`{{ .Pod.Name}}`}}", "{{`{{ .Pod.ServiceAccount }}`}}.{{`{{ .Pod.Namespace }}`}}.svc"] diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/mesh-config.conf b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/mesh-config.conf new file mode 100644 index 000000000..facc8e268 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/mesh-config.conf @@ -0,0 +1,79 @@ +{ + "accessControlMode": {{ quote .Values.accessControlMode }}, + "api": { + "address": {{ printf "nginx-mesh-api.%s" .Release.Namespace | quote }}, + "containerPort": 8443, + "port": 443 + }, + "autoInjectorPort": 9443, + "environment": {{ quote .Values.environment }}, + "isUDPEnabled": {{ .Values.enableUDP }}, + "injection": { + "disabledNamespaces": [{{ range $idx, $elem := .Values.autoInjection.disabledNamespaces }}{{if $idx}},{{end}}{{quote .}}{{end}}], + "enabledNamespaces": [{{ range $idx, $elem := .Values.autoInjection.enabledNamespaces }}{{if $idx}},{{end}}{{quote .}}{{end}}], + "isAutoInjectEnabled": {{ not .Values.autoInjection.disable }} + }, + "loadBalancingMethod": {{ quote .Values.nginxLBMethod }}, + "mtls": { + "mode": {{ quote .Values.mtls.mode }}, + "caTTL": {{ quote .Values.mtls.caTTL }}, + "svidTTL": {{ quote .Values.mtls.svidTTL }}, + "caKeyType": {{ quote .Values.mtls.caKeyType }} + }, + "mtlsMode": {{ quote .Values.mtls.mode }}, + "namespace": {{ quote .Release.Namespace }}, + "nginxErrorLogLevel": {{ quote .Values.nginxErrorLogLevel }}, + "nginxLogFormat": {{ quote .Values.nginxLogFormat }}, + "prometheusAddress": {{ include "prometheus.address" . | quote }}, + "proxy": { + "ports": { + "incoming": 8888, + "incomingGrpc": 8891, + "incomingGrpcPermissive": 8893, + "incomingNotInKeyval": 8903, + "incomingPermissive": 8890, + "incomingRedirect": 8901, + "incomingTcp": 8904, + "incomingTcpDeny": 8905, + "incomingTcpPermissive": 8907, + "outgoingUdp": 8908, + "incomingUdp": 8909, + "metrics": 8887, + "outgoing": 8889, + "outgoingDefaultEgress": 8894, + "outgoingGrpc": 8892, + "outgoingNotInKeyval": 8902, + "outgoingRedirect": 8900, + "outgoingTcp": 8906, + "plusApi": 8886, + "redirectHealthPort": 8895, + "redirectHealthPortHTTPS": 8896 + }, + "transparent": false + }, + "registryKeyName": {{ if (include "docker-config-json" .) }}{{ include "registry-key-name" . | quote }}{{ else }}""{{ end }}, + "sidecarImage": { + "image": {{ printf "%s/nginx-mesh-sidecar:%s" .Values.registry.server .Values.registry.imageTag | quote }}, + "name": "nginx-mesh-sidecar" + }, + "sidecarInitImage": { + "image": {{ printf "%s/nginx-mesh-init:%s" .Values.registry.server .Values.registry.imageTag | quote }}, + "name": "nginx-mesh-init" + }, + "tracing": {{if .Values.tracing }}{ + "backend": {{ quote .Values.tracing.backend }}, + "backendAddress": {{ include "tracing.address" . | quote }}, + "isEnabled": {{ not .Values.tracing.disable }}, + "sampleRate": {{ .Values.tracing.sampleRate }} + },{{ else }}{},{{ end }} + "telemetry": {{ if .Values.telemetry }}{ + "exporters": { + "otlp": { + "host": {{ quote .Values.telemetry.exporters.otlp.host }}, + "port": {{ .Values.telemetry.exporters.otlp.port }} + } + }, + "samplerRatio": {{ .Values.telemetry.samplerRatio }} + },{{ else }}{},{{ end }} + "trustDomain": {{ quote .Values.mtls.trustDomain }} + } diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/nats.conf b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/nats.conf new file mode 100644 index 000000000..bea951208 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/nats.conf @@ -0,0 +1,8 @@ +pid_file: "/var/run/nats/nats.pid" +http: 8222 +tls: { + ca_file: "/etc/ssl/ca.crt" + cert_file: "/etc/ssl/tls.crt" + key_file: "/etc/ssl/tls.key" + verify: true +} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/prometheus-config.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/prometheus-config.yaml new file mode 100644 index 000000000..b2d7ca0af --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/prometheus-config.yaml @@ -0,0 +1,72 @@ +global: + scrape_interval: 10s +scrape_configs: +- job_name: 'nginx-mesh-sidecars' + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: [__meta_kubernetes_pod_container_name] + action: keep + regex: nginx-mesh-sidecar + - action: labelmap + regex: __meta_kubernetes_pod_label_nsm_nginx_com_(.+) + - action: labeldrop + regex: __meta_kubernetes_pod_label_nsm_nginx_com_(.+) + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod +- job_name: 'nginx-plus-ingress' + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: [__meta_kubernetes_pod_container_name] + action: keep + regex: nginx-plus-ingress + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + target_label: __address__ + regex: (.+)(?::\d+);(\d+) + replacement: $1:$2 + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod + - action: labelmap + regex: __meta_kubernetes_pod_label_nsm_nginx_com_(.+) + - action: labeldrop + regex: __meta_kubernetes_pod_label_nsm_nginx_com_(.+) + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: labelmap + regex: __meta_kubernetes_pod_annotation_nsm_nginx_com_enable_(.+) + metric_relabel_configs: + - source_labels: [__name__] + regex: 'nginx_ingress_controller_upstream_server_response_latency_ms(.+)' + target_label: __name__ + replacement: 'nginxplus_upstream_server_response_latency_ms$1' + - source_labels: [__name__] + regex: 'nginx_ingress_nginxplus(.+)' + target_label: __name__ + replacement: 'nginxplus$1' + - source_labels: [service] + target_label: dst_service + - source_labels: [resource_namespace] + target_label: dst_namespace + - source_labels: [pod_owner] + regex: '(.+)\/(.+)' + target_label: dst_$1 + replacement: $2 + - action: labeldrop + regex: pod_owner + - source_labels: [pod_name] + target_label: dst_pod diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/spire-agent.conf b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/spire-agent.conf new file mode 100644 index 000000000..726af1573 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/spire-agent.conf @@ -0,0 +1,33 @@ +agent { + data_dir = "/run/spire" + log_level = "DEBUG" + server_address = "spire-server" + server_port = "8081" + socket_path = "/run/spire/sockets/agent.sock" + trust_bundle_path = "/run/spire/bundle/bundle.crt" + trust_domain = {{ quote .Values.mtls.trustDomain }} +} + +plugins { + NodeAttestor "k8s_psat" { + plugin_data { + cluster = "nginx-mesh" + } + } + + KeyManager "memory" { + plugin_data { + } + } + + WorkloadAttestor "k8s" { + plugin_data { + skip_kubelet_verification = true + } + } + + WorkloadAttestor "unix" { + plugin_data { + } + } +} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/spire-server.conf b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/spire-server.conf new file mode 100644 index 000000000..cbecae3a7 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/spire-server.conf @@ -0,0 +1,72 @@ +server { + bind_address = "0.0.0.0" + bind_port = "8081" + ca_key_type = {{ quote .Values.mtls.caKeyType }} + ca_ttl = {{ quote .Values.mtls.caTTL }} + data_dir = "/run/spire/data" + log_level = "DEBUG" + socket_path = "/run/spire/sockets/spire-registration.sock" + default_svid_ttl = {{ quote .Values.mtls.svidTTL }} + trust_domain = {{ quote .Values.mtls.trustDomain }} + ca_subject = { + country = ["US"], + organization = ["NGINX"], + common_name = "", + } +} + +plugins { + DataStore "sql" { + plugin_data { + database_type = "sqlite3" + connection_string = "/run/spire/data/datastore.sqlite3" + } + } + + NodeAttestor "k8s_psat" { + plugin_data { + clusters = { + "nginx-mesh" = { + service_account_allow_list = [{{ printf "%s:spire-agent" .Release.Namespace | quote }}] + } + } + } + } + + Notifier "k8sbundle" { + plugin_data { + namespace = {{ quote .Release.Namespace }} + webhook_label = "spiffe.io/webhook" + api_service_label = "spiffe.io/apiservice" + } + } + + KeyManager {{ quote .Values.mtls.spireServerKeyManager }} { + {{- if eq .Values.mtls.spireServerKeyManager "disk" }} + plugin_data { + keys_path = "/run/spire/data/keys.json" + } + {{- end }} + } + + {{ if .Values.mtls.upstreamAuthority.awsPCA }} + {{ tpl (.Files.Get "configs/upstreamAuthority/aws-pca-ua.conf") . }} + {{ else if .Values.mtls.upstreamAuthority.awsSecret }} + {{ tpl (.Files.Get "configs/upstreamAuthority/aws-secret-ua.conf") . }} + {{ else if .Values.mtls.upstreamAuthority.disk }} + {{ tpl (.Files.Get "configs/upstreamAuthority/disk-ua.conf") . }} + {{ else if .Values.mtls.upstreamAuthority.vault }} + {{ tpl (.Files.Get "configs/upstreamAuthority/vault-ua.conf") . }} + {{ else if .Values.mtls.upstreamAuthority.certManager }} + {{ tpl (.Files.Get "configs/upstreamAuthority/cert-manager-ua.conf") . }} + {{ end }} + +} + +health_checks { + listener_enabled = true + bind_address = "0.0.0.0" + bind_port = "8082" + live_path = "/live" + ready_path = "/ready" +} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/upstreamAuthority/aws-credentials.conf b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/upstreamAuthority/aws-credentials.conf new file mode 100644 index 000000000..422c92265 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/upstreamAuthority/aws-credentials.conf @@ -0,0 +1,3 @@ +[default] +aws_access_key_id = {{ .Values.mtls.upstreamAuthority.awsPCA.awsAccessKeyID }} +aws_secret_access_key = {{ .Values.mtls.upstreamAuthority.awsPCA.awsSecretAccessKey }} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/upstreamAuthority/aws-pca-ua.conf b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/upstreamAuthority/aws-pca-ua.conf new file mode 100644 index 000000000..a296cf881 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/upstreamAuthority/aws-pca-ua.conf @@ -0,0 +1,16 @@ +UpstreamAuthority "aws_pca" { + plugin_data { + region = {{ quote .Values.mtls.upstreamAuthority.awsPCA.region }} + certificate_authority_arn = {{ quote .Values.mtls.upstreamAuthority.awsPCA.certificateAuthorityArn }} + {{- if .Values.mtls.upstreamAuthority.awsPCA.caSigningTemplateArn }} + ca_signing_template_arn = {{ quote .Values.mtls.upstreamAuthority.awsPCA.caSigningTemplateArn }}{{ end }} + {{- if .Values.mtls.upstreamAuthority.awsPCA.signingAlgorithm }} + signing_algorithm = {{ quote .Values.mtls.upstreamAuthority.awsPCA.signingAlgorithm }}{{ end }} + {{- if .Values.mtls.upstreamAuthority.awsPCA.assumeRoleArn }} + assume_role_arn = {{ quote .Values.mtls.upstreamAuthority.awsPCA.assumeRoleArn }}{{end}} + {{- if .Values.mtls.upstreamAuthority.awsPCA.endpoint }} + endpoint = {{ quote .Values.mtls.upstreamAuthority.awsPCA.endpoint }}{{end}} + {{- if .Values.mtls.upstreamAuthority.awsPCA.supplementalBundlePath }} + supplemental_bundle_path = "/run/spire/config/upstreamBundle.crt"{{end}} + } +} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/upstreamAuthority/aws-secret-ua.conf b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/upstreamAuthority/aws-secret-ua.conf new file mode 100644 index 000000000..5e8763aff --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/upstreamAuthority/aws-secret-ua.conf @@ -0,0 +1,15 @@ +UpstreamAuthority "awssecret" { + plugin_data { + region = {{ quote .Values.mtls.upstreamAuthority.awsSecret.region }} + cert_file_arn = {{ quote .Values.mtls.upstreamAuthority.awsSecret.certFileArn }} + key_file_arn = {{ quote .Values.mtls.upstreamAuthority.awsSecret.keyFileArn }} + {{- if .Values.mtls.upstreamAuthority.awsSecret.awsAccessKeyID }} + access_key_id = {{ quote .Values.mtls.upstreamAuthority.awsSecret.awsAccessKeyID }}{{ end }} + {{- if .Values.mtls.upstreamAuthority.awsSecret.awsSecretAccessKey }} + secret_access_key = {{ quote .Values.mtls.upstreamAuthority.awsSecret.awsSecretAccessKey }}{{ end }} + {{- if .Values.mtls.upstreamAuthority.awsSecret.awsSecretToken }} + secret_token = {{ quote .Values.mtls.upstreamAuthority.awsSecret.awsSecretToken }}{{ end }} + {{- if .Values.mtls.upstreamAuthority.awsSecret.assumeRoleArn }} + assume_role_arn = {{ quote .Values.mtls.upstreamAuthority.awsSecret.assumeRoleArn }}{{ end }} + } +} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/upstreamAuthority/cert-manager-ua.conf b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/upstreamAuthority/cert-manager-ua.conf new file mode 100644 index 000000000..642a50424 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/upstreamAuthority/cert-manager-ua.conf @@ -0,0 +1,12 @@ +UpstreamAuthority "cert-manager" { + plugin_data { + namespace = {{ quote .Values.mtls.upstreamAuthority.certManager.namespace }} + issuer_name = {{ quote .Values.mtls.upstreamAuthority.certManager.issuerName }} + {{- if .Values.mtls.upstreamAuthority.certManager.issuerKind }} + issuer_kind = {{ quote .Values.mtls.upstreamAuthority.certManager.issuerKind }}{{ end }} + {{- if .Values.mtls.upstreamAuthority.certManager.issuerGroup }} + issuer_group = {{ quote .Values.mtls.upstreamAuthority.certManager.issuerGroup }}{{ end }} + {{- if .Values.mtls.upstreamAuthority.certManager.kubeConfig }} + kube_config_file = "/run/spire/secrets/cert-manager-kubeconfig"{{ end }} + } +} \ No newline at end of file diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/upstreamAuthority/disk-ua.conf b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/upstreamAuthority/disk-ua.conf new file mode 100644 index 000000000..87f402d41 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/upstreamAuthority/disk-ua.conf @@ -0,0 +1,8 @@ +UpstreamAuthority "disk" { + plugin_data { + cert_file_path = "/run/spire/config/upstreamCA.crt" + key_file_path = "/run/spire/secrets/upstreamCA.key" + {{- if .Values.mtls.upstreamAuthority.disk.bundle }} + bundle_file_path = "/run/spire/config/upstreamBundle.crt"{{ end }} + } +} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/upstreamAuthority/vault-ua.conf b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/upstreamAuthority/vault-ua.conf new file mode 100644 index 000000000..744eb77fa --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/configs/upstreamAuthority/vault-ua.conf @@ -0,0 +1,28 @@ +UpstreamAuthority "vault" { + plugin_data { + vault_addr = {{ quote .Values.mtls.upstreamAuthority.vault.vaultAddr }} + namespace = {{ quote .Values.mtls.upstreamAuthority.vault.namespace }} + ca_cert_path = "/run/spire/config/upstreamCA.crt" + {{- if .Values.mtls.upstreamAuthority.vault.pkiMountPoint }} + pki_mount_path = {{ quote .Values.mtls.upstreamAuthority.vault.pkiMountPoint }}{{ end }} + {{- if .Values.mtls.upstreamAuthority.vault.insecureSkipVerify }} + insecure_skip_verify = {{ .Values.mtls.upstreamAuthority.vault.insecureSkipVerify }}{{ end }} + {{- if .Values.mtls.upstreamAuthority.vault.certAuth}} + cert_auth = { + client_cert_path = "/run/spire/config/upstreamClient.crt" + client_key_path = "/run/spire/secrets/upstreamClient.key" + {{- if .Values.mtls.upstreamAuthority.vault.certAuth.certAuthRoleName }} + cert_auth_role_name = {{ quote .Values.mtls.upstreamAuthority.vault.certAuth.certAuthRoleName }}{{ end }} + {{- if .Values.mtls.upstreamAuthority.vault.certAuth.certAuthMountPoint }} + cert_auth_mount_point = {{ quote .Values.mtls.upstreamAuthority.vault.certAuth.certAuthMountPoint }}{{ end }} + }{{ end }} + {{- if .Values.mtls.upstreamAuthority.vault.tokenAuth }} + token_auth = {}{{ end }} + {{- if .Values.mtls.upstreamAuthority.vault.approleAuth }} + approle_auth = { + approle_id = {{ quote .Values.mtls.upstreamAuthority.vault.approleAuth.approleID }} + {{- if .Values.mtls.upstreamAuthority.vault.approleAuth.approleAuthMountPoint }} + approle_auth_mount_point = {{ quote .Values.mtls.upstreamAuthority.vault.approleAuth.approleAuthMountPoint }}{{ end }} + }{{ end }} + } +} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/crds/circuitbreaker.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/crds/circuitbreaker.yaml new file mode 100644 index 000000000..d5155fbb2 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/crds/circuitbreaker.yaml @@ -0,0 +1,78 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: circuitbreakers.specs.smi.nginx.com + labels: + app.kubernetes.io/part-of: nginx-service-mesh +spec: + group: specs.smi.nginx.com + scope: Namespaced + names: + kind: CircuitBreaker + listKind: CircuitBreakerList + shortNames: + - cb + plural: circuitbreakers + singular: circuitbreaker + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + description: Specifications of this circuit breaker. + type: object + required: + - destination + - errors + - timeoutSeconds + properties: + destination: + description: The destination of this circuit breaker. + type: object + required: + - name + - kind + properties: + kind: + description: Kind of the destination. + type: string + enum: + - Service + name: + description: Name of the destination. + type: string + minLength: 1 + namespace: + description: Namespace of the destination. + type: string + errors: + description: The number of errors allowed within the timeout before + tripping the circuit. + type: integer + minimum: 0 + timeoutSeconds: + description: The timeout window for errors to occur, and the amount + of time to wait before closing the circuit. + type: integer + minimum: 0 + fallback: + description: The fallback Service to send traffic to when the circuit + is tripped. + type: object + properties: + service: + description: The fallback Service to send traffic to when the + circuit is tripped. + type: string + port: + description: The port of the fallback Service. + type: integer + minimum: 0 + maximum: 65535 diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/crds/httproutegroup.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/crds/httproutegroup.yaml new file mode 100644 index 000000000..b1ee68f88 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/crds/httproutegroup.yaml @@ -0,0 +1,68 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: httproutegroups.specs.smi-spec.io + labels: + app.kubernetes.io/part-of: nginx-service-mesh +spec: + group: specs.smi-spec.io + scope: Namespaced + names: + kind: HTTPRouteGroup + shortNames: + - htr + plural: httproutegroups + singular: httproutegroup + versions: + - name: v1alpha3 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + required: + - matches + properties: + matches: + description: Match conditions of this route group. + type: array + items: + type: object + required: + - name + properties: + name: + description: Name of the HTTP route. + type: string + pathRegex: + description: URI path regex of the HTTP route. + type: string + methods: + description: The HTTP methods of this HTTP route. + type: array + items: + type: string + description: The HTTP method of this HTTP route. + enum: + - "*" + - GET + - HEAD + - PUT + - POST + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + headers: + description: Header match conditions of this route. + type: array + items: + description: Header match condition of this route. + type: object + additionalProperties: + type: string diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/crds/ratelimit.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/crds/ratelimit.yaml new file mode 100644 index 000000000..95fe8433b --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/crds/ratelimit.yaml @@ -0,0 +1,175 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ratelimits.specs.smi.nginx.com + labels: + app.kubernetes.io/part-of: nginx-service-mesh +spec: + group: specs.smi.nginx.com + scope: Namespaced + names: + kind: RateLimit + listKind: RateLimitList + shortNames: + - rl + plural: ratelimits + singular: ratelimit + versions: + - name: v1alpha1 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + required: + - name + - destination + - rate + properties: + destination: + description: The destination of this rate limit. + type: object + required: + - name + - kind + properties: + kind: + description: Kind of the destination. + type: string + minLength: 1 + name: + description: Name of the destination. + type: string + minLength: 1 + namespace: + description: Namespace of the destination. + type: string + sources: + description: Sources of this rate limit. + type: array + items: + type: object + required: + - name + - kind + properties: + kind: + description: Kind of this source. + type: string + minLength: 1 + name: + description: Name of this source. + type: string + minLength: 1 + namespace: + description: Namespace of this source. + type: string + name: + description: Name of this rate limit spec. + type: string + minLength: 1 + rate: + description: The allowed rate of traffic. + type: string + pattern: "^[0-9]+r/[s,m]$" + burst: + description: The number of requests to allow beyond the given rate. + type: integer + minimum: 0 + delay: + description: The number of requests after which to delay requests. + x-kubernetes-int-or-string: true + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + required: + - name + - destination + - rate + properties: + destination: + description: The destination of this rate limit. + type: object + required: + - name + - kind + properties: + kind: + description: Kind of the destination. + type: string + minLength: 1 + name: + description: Name of the destination. + type: string + minLength: 1 + namespace: + description: Namespace of the destination. + type: string + sources: + description: Sources of this rate limit. + type: array + items: + type: object + required: + - name + - kind + properties: + kind: + description: Kind of this source. + type: string + minLength: 1 + name: + description: Name of this source. + type: string + minLength: 1 + namespace: + description: Namespace of this source. + type: string + name: + description: Name of this rate limit spec. + type: string + minLength: 1 + rate: + description: The allowed rate of traffic. + type: string + pattern: "^[0-9]+r/[s,m]$" + burst: + description: The number of requests to allow beyond the given rate. + type: integer + minimum: 0 + delay: + description: The number of requests after which to delay requests. + x-kubernetes-int-or-string: true + rules: + description: Routing rules of this rate limit. + type: array + items: + type: object + required: + - name + - kind + properties: + kind: + description: Kind of this routing rule. + type: string + enum: + - HTTPRouteGroup + name: + description: Name of this routing rule. + type: string + minLength: 1 + matches: + description: Match conditions of this routing rule. + type: array + items: + type: string diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/crds/spiffeid.spiffe.io_spiffeids.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/crds/spiffeid.spiffe.io_spiffeids.yaml new file mode 100644 index 000000000..fbd2eb77c --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/crds/spiffeid.spiffe.io_spiffeids.yaml @@ -0,0 +1,107 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: spiffeids.spiffeid.spiffe.io + labels: + app.kubernetes.io/part-of: nginx-service-mesh +spec: + group: spiffeid.spiffe.io + names: + kind: SpiffeID + listKind: SpiffeIDList + plural: spiffeids + singular: spiffeid + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + description: SpiffeID is the Schema for the spiffeid API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SpiffeIDSpec defines the desired state of SpiffeID + properties: + dnsNames: + items: + type: string + type: array + federatesWith: + items: + type: string + type: array + parentId: + type: string + selector: + properties: + arbitrary: + description: Arbitrary selectors + items: + type: string + type: array + containerImage: + description: Container image to match for this spiffe ID + type: string + containerName: + description: Container name to match for this spiffe ID + type: string + namespace: + description: Namespace to match for this spiffe ID + type: string + nodeName: + description: Node name to match for this spiffe ID + type: string + podLabel: + additionalProperties: + type: string + description: Pod label name/value to match for this spiffe ID + type: object + podName: + description: Pod name to match for this spiffe ID + type: string + podUid: + description: Pod UID to match for this spiffe ID + type: string + serviceAccount: + description: ServiceAccount to match for this spiffe ID + type: string + cluster: + description: The k8s_psat cluster name + type: string + agent_node_uid: + description: UID of the node + type: string + type: object + spiffeId: + type: string + required: + - parentId + - selector + - spiffeId + type: object + status: + description: SpiffeIDStatus defines the observed state of SpiffeID + properties: + entryId: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state + of cluster Important: Run "make" to regenerate code after modifying + this file' + type: string + type: object + type: object diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/crds/tcproute.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/crds/tcproute.yaml new file mode 100644 index 000000000..4f91f25a1 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/crds/tcproute.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tcproutes.specs.smi-spec.io + labels: + app.kubernetes.io/part-of: nginx-service-mesh +spec: + group: specs.smi-spec.io + scope: Namespaced + names: + kind: TCPRoute + shortNames: + - tr + plural: tcproutes + singular: tcproute + versions: + - name: v1alpha3 + served: true + storage: true + schema: + openAPIV3Schema: + type: object diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/crds/trafficsplit.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/crds/trafficsplit.yaml new file mode 100644 index 000000000..90ca7010a --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/crds/trafficsplit.yaml @@ -0,0 +1,72 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: trafficsplits.split.smi-spec.io + labels: + app.kubernetes.io/part-of: nginx-service-mesh +spec: + group: split.smi-spec.io + scope: Namespaced + names: + kind: TrafficSplit + listKind: TrafficSplitList + shortNames: + - ts + plural: trafficsplits + singular: trafficsplit + versions: + - name: v1alpha3 + served: true + storage: true + additionalPrinterColumns: + - name: Service + type: string + description: The apex service of this split. + jsonPath: .spec.service + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + required: + - service + - backends + properties: + service: + description: The apex service of this split. + type: string + matches: + description: The HTTP route groups that this traffic split should + match. + type: array + items: + type: object + required: + - kind + - name + properties: + kind: + description: Kind of the matching group. + type: string + enum: + - HTTPRouteGroup + name: + description: Name of the matching group. + type: string + backends: + description: The backend services of this split. + type: array + items: + type: object + required: + - service + - weight + properties: + service: + description: Name of the Kubernetes service. + type: string + weight: + description: Traffic weight value of this backend. + type: number diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/crds/traffictarget.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/crds/traffictarget.yaml new file mode 100644 index 000000000..24bae1428 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/crds/traffictarget.yaml @@ -0,0 +1,92 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: traffictargets.access.smi-spec.io + labels: + app.kubernetes.io/part-of: nginx-service-mesh +spec: + group: access.smi-spec.io + scope: Namespaced + names: + kind: TrafficTarget + shortNames: + - tt + plural: traffictargets + singular: traffictarget + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + required: + - destination + properties: + destination: + description: The destination of this traffic target. + type: object + required: + - name + - kind + properties: + kind: + description: Kind of the destination. + type: string + name: + description: Name of the destination. + type: string + namespace: + description: Namespace of the destination. + type: string + port: + description: Port number of the destination. + type: number + rules: + description: Specifications of this traffic target. + type: array + items: + type: object + required: + - name + - kind + properties: + kind: + description: Kind of this spec. + type: string + enum: + - HTTPRouteGroup + - TCPRoute + name: + description: Name of this spec. + type: string + matches: + description: Match conditions of this spec. + type: array + items: + type: string + sources: + description: Sources of this traffic target. + type: array + items: + type: object + required: + - name + - kind + properties: + kind: + description: Kind of this source. + type: string + name: + description: Name of this source. + type: string + namespace: + description: Namespace of this source. + type: string + port: + description: Port number of the source. + type: number diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/questions.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/questions.yaml new file mode 100644 index 000000000..6c52783cb --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/questions.yaml @@ -0,0 +1,213 @@ +questions: +- variable: useDefaultImages + default: true + description: "Use default image settings." + label: Use default images + type: boolean + show_subquestion_if: false + group: "Image Registry" + subquestions: + - variable: registry.server + default: "docker-registry.nginx.com/nsm" + description: "Hostname:port (if needed) for registry and path to images." + label: Image registry server + type: string + - variable: registry.imageTag + default: "1.4.0" + description: "Tag used for pulling images from registry." + label: Image tag + type: string + - variable: registry.key + default: "" + description: "Contents of your Google Cloud JSON key file. Cannot be used with username or password." + label: Image registry key + type: string + - variable: registry.username + default: "" + description: "Username for accessing private registry." + label: Image registry username + type: string + - variable: registry.password + default: "" + description: "Password for accessing private registry." + label: Image registry password + type: string + - variable: registry.disablePublicImages + default: false + description: "Do not pull third party images from public repositories. If true, registry.server is used for all images." + label: Disable public images + type: boolean + - variable: registry.imagePullPolicy + default: "IfNotPresent" + description: "Image pull policy." + label: Image pull policy + type: string +- variable: useMtlsDefaults + default: true + description: "Use default mTLS settings." + label: Use default mTLS settings + type: boolean + show_subquestion_if: false + group: "Mutual TLS" + subquestions: + - variable: mtls.mode + default: "permissive" + description: "mTLS mode for pod-to-pod communication." + label: mTLS mode + type: enum + options: + - "off" + - "permissive" + - "strict" + - variable: mtls.caTTL + default: "720h" + description: "The CA/signing key TTL in hours(h) or minutes(m)." + label: mTLS caTTL + type: string + - variable: mtls.svidTTL + default: "1h" + description: "The TTL of certificates issued to workloads in hours(h) or minutes(m)." + label: mTLS svidTTL + type: string + - variable: mtls.trustDomain + default: "example.org" + description: "The trust domain of the NGINX Service Mesh." + label: mTLS trust domain + type: string + - variable: mtls.persistentStorage + default: "on" + description: "Use persistent storage; 'on' assumes that a StorageClass exists." + label: mTLS persistent storage + type: enum + options: + - "on" + - "off" + - variable: mtls.spireServerKeyManager + default: "disk" + description: "Storage logic for SPIRE Server's private keys." + label: mTLS spire server key manager + type: enum + options: + - "disk" + - "memory" + - variable: mtls.caKeyType + default: "ec-p256" + description: "The key type used for the SPIRE Server CA." + label: mTLS ca key type + type: enum + options: + - "ec-p256" + - "ec-p384" + - "rsa-2048" + - "rsa-4096" +- variable: useTracingDefaults + default: true + description: "Use default tracing settings. If you would like to enable telemetry instead, please see the README for instructions." + label: Use default tracing settings + type: boolean + show_subquestion_if: false + group: "Tracing" + subquestions: + - variable: tracing.disable + default: false + description: "Disable tracing for all services. This option will be removed in version 1.5." + label: Disable tracing + type: boolean + - variable: tracing.address + default: "" + description: "The address of a tracing server deployed in your Kubernetes cluster." + label: Tracing address + type: string + - variable: tracing.backend + default: "jaeger" + description: "The tracing backend that you want to use." + label: Tracing backend + type: enum + options: + - "jaeger" + - "zipkin" + - "datadog" + - variable: tracing.sampleRate + default: 0.01 + description: "The sample rate to use for tracing. Float between 0 and 1." + label: Tracing sample rate + type: float +- variable: autoInjection.disable + default: false + description: "Disable automatic sidecar injection upon resource creation." + label: Disable auto injection + type: boolean + group: "General Settings" +- variable: accessControlMode + default: "allow" + description: "Default access control mode for service-to-service communication." + label: Access control mode + type: enum + options: + - "allow" + - "deny" + group: "General Settings" +- variable: deployGrafana + default: true + description: "Deploy Grafana as a part of NGINX Service Mesh. This option will be removed in version 1.5." + label: Deploy Grafana + type: boolean + group: "General Settings" +- variable: nginxErrorLogLevel + default: "warn" + description: "NGINX error log level." + label: NGINX error log level. + type: enum + options: + - "debug" + - "info" + - "notice" + - "warn" + - "error" + - "crit" + - "alert" + - "emerg" + group: "General Settings" +- variable: nginxLogFormat + default: "default" + description: "NGINX log format." + label: NGINX log format. + type: enum + options: + - "default" + - "json" + group: "General Settings" +- variable: nginxLBMethod + default: "least_time" + description: "NGINX load balancing method." + label: NGINX load balancing method. + type: enum + options: + - "least_conn" + - "least_time" + - "least_time last_byte" + - "least_time last_byte inflight" + - "random" + - "random two" + - "random two least_conn" + - "random two least_time" + - "random two least_time=last_byte" + - "round_robin" + group: "General Settings" +- variable: prometheusAddress + description: "The address of a Prometheus server deployed in your Kubernetes cluster." + label: Prometheus address. + type: string + group: "General Settings" +- variable: enableUDP + description: "Enable UDP traffic proxying (beta). Linux kernel 4.18 or greater is required." + label: Enable UDP + type: boolean + default: false + group: "General Settings" +- variable: rancher + default: true + description: "Enables Rancher for NGINX Service Mesh (do not disable)." + label: Rancher + type: boolean + group: "General Settings" diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/NOTES.txt b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/NOTES.txt new file mode 100644 index 000000000..ae929df6d --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/NOTES.txt @@ -0,0 +1 @@ +NGINX Service Mesh has been installed. Ensure all NGINX Service Mesh Pods are in the Ready state before deploying your apps. diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/_helpers.tpl b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/_helpers.tpl new file mode 100644 index 000000000..4e2d4b0d3 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/_helpers.tpl @@ -0,0 +1,179 @@ +{{- define "jaeger.image-server" -}} +{{- if not .Values.registry.disablePublicImages }}jaegertracing{{ else }}{{ .Values.registry.server }}{{ end }} +{{- end }} + +{{- define "zipkin.image-server" -}} +{{- if not .Values.registry.disablePublicImages }}openzipkin{{ else }}{{ .Values.registry.server }}{{ end }} +{{- end }} + +{{- define "tracing.address" -}} +{{- if ne .Values.tracing.address "" -}} +{{ .Values.tracing.address }} +{{- else if eq .Values.tracing.backend "jaeger" -}} +jaeger.{{.Release.Namespace}}.svc.cluster.local:6831 +{{- else if eq .Values.tracing.backend "zipkin" -}} +zipkin.{{.Release.Namespace}}.svc.cluster.local:9411 +{{- end }} +{{- end }} + +{{- define "prometheus.address" -}} +{{- if eq .Values.prometheusAddress "" -}} +prometheus.{{.Release.Namespace}}.svc.cluster.local:9090 +{{- else -}} +{{ .Values.prometheusAddress }} +{{- end }} +{{- end }} + +{{- define "prometheus.image-server" -}} +{{- if not .Values.registry.disablePublicImages }}prom{{ else }}{{ .Values.registry.server }}{{ end }} +{{- end }} + +{{- define "grafana.image-server" -}} +{{- if not .Values.registry.disablePublicImages }}grafana{{ else }}{{ .Values.registry.server }}{{ end }} +{{- end }} + +{{- define "nats.image-server" -}} +{{- if not .Values.registry.disablePublicImages }}{{ else }}{{ .Values.registry.server }}/{{ end }} +{{- end }} + +{{- define "spire.image-server" -}} +{{- if not .Values.registry.disablePublicImages }}gcr.io/spiffe-io{{ else }}{{ .Values.registry.server }}{{ end }} +{{- end }} + +{{- define "node-driver.image-server" -}} +{{- if not .Values.registry.disablePublicImages }}quay.io/k8scsi{{ else }}{{ .Values.registry.server }}{{ end }} +{{- end }} + +{{- define "hook.image-server" -}} +{{- if not .Values.registry.disablePublicImages }}bitnami{{ else }}{{ .Values.registry.server }}{{ end }} +{{- end }} + +{{- define "ubuntu.image-server" -}} +{{- if not .Values.registry.disablePublicImages }}{{ else }}{{ .Values.registry.server }}/{{ end }} +{{- end }} + +{{- define "registry-key-name" -}} +nginx-mesh-registry-key +{{- end }} + +{{- define "docker-config-json" -}} +{{- if (and (.Values.registry.username) (.Values.registry.password)) }} +{ + "auths": { + {{ quote .Values.registry.server }}: { + "username": {{ quote .Values.registry.username }}, + "password": {{ quote .Values.registry.password }}, + "auth": {{ printf "%s:%s" .Values.registry.username .Values.registry.password | b64enc | quote }} + } + } +} +{{- else if (.Values.registry.key) }} +{ + "auths": { + {{ quote .Values.registry.server }}: { + "username": "_json_key", + "password": {{ quote .Values.registry.key }} + } + } +} +{{- end }} +{{- end }} + +{{/* +Define the name of the key where the Upstream Authority secret data is stored. +*/}} +{{- define "ua-secret-name" -}} +{{- if .Values.mtls.upstreamAuthority.awsPCA -}} {{- if .Values.mtls.upstreamAuthority.awsPCA.awsAccessKeyID -}} +credentials {{- end }} +{{- else if .Values.mtls.upstreamAuthority.disk -}} +upstreamCA.key +{{- else if .Values.mtls.upstreamAuthority.vault }}{{ if .Values.mtls.upstreamAuthority.vault.certAuth -}} +upstreamClient.key{{ end }} +{{- else if .Values.mtls.upstreamAuthority.certManager }}{{ if .Values.mtls.upstreamAuthority.certManager.kubeConfig -}} +cert-manager-kubeconfig{{ end }} +{{- end }} +{{- end }} + +{{/* +Define the name of the mount path where the Upstream Authority secret data is stored. +*/}} +{{- define "ua-secret-mountpath" -}} +{{- if and .Values.mtls.upstreamAuthority.awsPCA -}} {{- if .Values.mtls.upstreamAuthority.awsPCA.awsAccessKeyID -}} +/root/.aws {{- end }} +{{- else if .Values.mtls.upstreamAuthority.disk -}} +/run/spire/secrets +{{- else if .Values.mtls.upstreamAuthority.vault }}{{ if .Values.mtls.upstreamAuthority.vault.certAuth -}} +/run/spire/secrets{{ end }} +{{- else if .Values.mtls.upstreamAuthority.certManager }}{{ if .Values.mtls.upstreamAuthority.certManager.kubeConfig -}} +/run/spire/secrets{{ end }} +{{- end }} +{{- end }} + +{{/* +Define the upstream certificate to be used for the Upstream Authority. +*/}} +{{- define "ua-upstream-cert" -}} +{{- if .Values.mtls.upstreamAuthority.disk -}} +upstreamCA.crt: {{ quote .Values.mtls.upstreamAuthority.disk.cert }} +{{- else if .Values.mtls.upstreamAuthority.vault -}} +upstreamCA.crt: {{ quote .Values.mtls.upstreamAuthority.vault.caCert }} +{{- end }} +{{- end }} + +{{/* +Define the upstream bundle to be used for the Upstream Authority. +*/}} +{{- define "ua-upstream-bundle" -}} +{{- if .Values.mtls.upstreamAuthority.disk }}{{ if .Values.mtls.upstreamAuthority.disk.bundle -}} +upstreamBundle.crt: {{ quote .Values.mtls.upstreamAuthority.disk.bundle }}{{ end }} +{{- else if .Values.mtls.upstreamAuthority.awsPCA }}{{ if .Values.mtls.upstreamAuthority.awsPCA.supplementalBundle -}} +upstreamBundle.crt: {{ quote .Values.mtls.upstreamAuthority.awsPCA.supplementalBundle }}{{ end }} +{{- end }} +{{- end }} + +{{/* +Define the Upstream Authority value to be stored in the Secret. +*/}} +{{- define "ua-secret-value" -}} +{{- if .Values.mtls.upstreamAuthority.awsPCA -}} +{{ tpl (.Files.Get "configs/upstreamAuthority/aws-credentials.conf") . | b64enc }} +{{- else if .Values.mtls.upstreamAuthority.disk -}} +{{ .Values.mtls.upstreamAuthority.disk.key | b64enc }} +{{- else if .Values.mtls.upstreamAuthority.vault }}{{ if .Values.mtls.upstreamAuthority.vault.certAuth -}} +{{ .Values.mtls.upstreamAuthority.vault.certAuth.clientKey | b64enc }}{{ end }} +{{- else if .Values.mtls.upstreamAuthority.certManager }}{{ if .Values.mtls.upstreamAuthority.certManager.kubeConfig -}} +{{ .Values.mtls.upstreamAuthority.certManager.kubeConfig | b64enc }}{{ end }} +{{- end }} +{{- end }} + +{{/* +Define variables associated with the Vault Upstream Authority. +*/}} + +{{- define "ua-vault-env-name" -}} +{{- if .Values.mtls.upstreamAuthority.vault -}} +{{- if .Values.mtls.upstreamAuthority.vault.tokenAuth -}} +VAULT_TOKEN +{{- else if .Values.mtls.upstreamAuthority.vault.approleAuth -}} +VAULT_APPROLE_SECRET_ID +{{- end }} +{{- end }} +{{- end }} + +{{- define "ua-vault-env-value" -}} +{{- if .Values.mtls.upstreamAuthority.vault -}} +{{- if .Values.mtls.upstreamAuthority.vault.tokenAuth -}} +{{ b64enc .Values.mtls.upstreamAuthority.vault.tokenAuth.token }} +{{- else if .Values.mtls.upstreamAuthority.vault.approleAuth -}} +{{ b64enc .Values.mtls.upstreamAuthority.vault.approleAuth.approleSecretID }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "ua-upstream-client-cert" -}} +{{- if .Values.mtls.upstreamAuthority.vault -}} +{{- if .Values.mtls.upstreamAuthority.vault.certAuth -}} +upstreamClient.crt: {{ quote .Values.mtls.upstreamAuthority.vault.certAuth.clientCert }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/grafana.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/grafana.yaml new file mode 100644 index 000000000..782c9f4f6 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/grafana.yaml @@ -0,0 +1,137 @@ +{{- if .Values.deployGrafana }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: grafana + labels: + app.kubernetes.io/part-of: nginx-service-mesh +imagePullSecrets: +- name: {{ include "registry-key-name" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: grafana.metrics.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +rules: +- apiGroups: + - '' + resources: + - services + - endpoints + - pods + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: grafana.metrics.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: grafana.metrics.builtin.nsm.nginx +subjects: +- kind: ServiceAccount + name: grafana + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: grafana-config + labels: + app.kubernetes.io/part-of: nginx-service-mesh +data: + dashboards.yaml: {{ .Files.Get "configs/grafana-dashboard-conf.yaml" | quote }} + datasources.yaml: {{ tpl (.Files.Get "configs/grafana-datasources-conf.yaml") . | quote }} + grafana.ini: {{ .Files.Get "configs/grafana.ini" | quote }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: grafana-dashboards + labels: + app.kubernetes.io/part-of: nginx-service-mesh +data: + top.json: {{ .Files.Get "configs/grafana-top-dashboard.json" | quote }} +--- +apiVersion: v1 +kind: Service +metadata: + name: grafana + labels: + app.kubernetes.io/name: grafana + app.kubernetes.io/part-of: nginx-service-mesh +spec: + selector: + app.kubernetes.io/name: grafana + app.kubernetes.io/part-of: nginx-service-mesh + type: ClusterIP + ports: + - port: 3000 + targetPort: 3000 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: grafana + labels: + app.kubernetes.io/name: grafana + app.kubernetes.io/part-of: nginx-service-mesh +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: grafana + app.kubernetes.io/part-of: nginx-service-mesh + template: + metadata: + labels: + app.kubernetes.io/name: grafana + app.kubernetes.io/part-of: nginx-service-mesh + spec: + serviceAccountName: grafana + containers: + - name: grafana + image: {{ include "grafana.image-server" . }}/grafana:8.3.4 + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + ports: + - containerPort: 3000 + volumeMounts: + - name: grafana-config-volume + mountPath: "/etc/grafana" + - name: grafana-dashboard-volume + mountPath: "/var/lib/grafana/dashboards" + - name: grafana-dashboard-home + mountPath: "/usr/share/grafana/public/dashboards" + volumes: + - name: grafana-config-volume + configMap: + name: grafana-config + items: + - key: dashboards.yaml + path: provisioning/dashboards/dashboards.yaml + - key: datasources.yaml + path: provisioning/datasources/datasources.yaml + - key: grafana.ini + path: grafana.ini + - name: grafana-dashboard-volume + configMap: + name: grafana-dashboards + items: + - key: top.json + path: top.json + - name: grafana-dashboard-home + configMap: + name: grafana-dashboards + items: + - key: top.json + path: home.json +{{- end }} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/jaeger.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/jaeger.yaml new file mode 100644 index 000000000..040862a1e --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/jaeger.yaml @@ -0,0 +1,60 @@ +{{- if .Values.tracing }} {{ if (and (not .Values.tracing.disable) (eq .Values.tracing.backend "jaeger") (eq .Values.tracing.address "")) }} +--- +apiVersion: v1 +kind: Service +metadata: + name: jaeger + labels: + app.kubernetes.io/name: jaeger + app.kubernetes.io/part-of: nginx-service-mesh +spec: + selector: + app.kubernetes.io/name: jaeger + app.kubernetes.io/part-of: nginx-service-mesh + type: ClusterIP + ports: + - name: frontend + port: 16686 + targetPort: 16686 + - name: collector + port: 6831 + targetPort: 6831 + protocol: UDP + - name: collector-http + port: 14268 + protocol: TCP + targetPort: 14268 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: jaeger + labels: + app.kubernetes.io/name: jaeger + app.kubernetes.io/part-of: nginx-service-mesh +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: jaeger + app.kubernetes.io/part-of: nginx-service-mesh + template: + metadata: + labels: + app.kubernetes.io/name: jaeger + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + prometheus.io/scrape: 'true' + prometheus.io/port: '16686' + spec: + imagePullSecrets: + - name: {{ include "registry-key-name" . }} + containers: + - name: jaeger + image: {{ include "jaeger.image-server" . }}/all-in-one:1.31.0 + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + ports: + - containerPort: 16686 + - containerPort: 6831 + protocol: UDP +{{- end }}{{- end }} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/nats.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/nats.yaml new file mode 100644 index 000000000..e5bf63934 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/nats.yaml @@ -0,0 +1,153 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nats + labels: + app.kubernetes.io/part-of: nginx-service-mesh +imagePullSecrets: +- name: {{ include "registry-key-name" . }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: nats-config + labels: + app.kubernetes.io/part-of: nginx-service-mesh +data: + nats.conf: {{ .Files.Get "configs/nats.conf" | quote }} +--- +apiVersion: v1 +kind: Service +metadata: + name: nats-server + labels: + app.kubernetes.io/name: nats-server + app.kubernetes.io/part-of: nginx-service-mesh +spec: + selector: + app.kubernetes.io/name: nats-server + app.kubernetes.io/part-of: nginx-service-mesh + clusterIP: None + ports: + - name: client + port: 4222 + - name: monitor + port: 8222 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nats-server + labels: + app.kubernetes.io/name: nats-server + app.kubernetes.io/part-of: nginx-service-mesh +spec: + selector: + matchLabels: + app.kubernetes.io/name: nats-server + app.kubernetes.io/part-of: nginx-service-mesh + replicas: 1 + template: + metadata: + labels: + app.kubernetes.io/name: nats-server + app.kubernetes.io/part-of: nginx-service-mesh + spiffe.io/spiffeid: "true" + spec: + serviceAccountName: nats + volumes: + - name: config-volume + configMap: + name: nats-config + - name: pid + emptyDir: {} + - name: tls + emptyDir: {} + - name: spire-agent-socket + {{ if eq .Values.environment "openshift" -}} + csi: + driver: wlapi-mounter.spire.nginx.com + readOnly: true + {{- else -}} + hostPath: + path: "/run/spire/sockets" + type: DirectoryOrCreate + {{- end }} + shareProcessNamespace: true + terminationGracePeriodSeconds: 60 + imagePullSecrets: + - name: {{ include "registry-key-name" . }} + initContainers: + - name: nginx-mesh-cert-reloader-init + image: {{ .Values.registry.server }}/nginx-mesh-cert-reloader:{{ .Values.registry.imageTag }} + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + volumeMounts: + - name: tls + mountPath: "/etc/ssl" + - name: spire-agent-socket + mountPath: "/run/spire/sockets" + containers: + - name: nginx-mesh-cert-reloader + image: {{ .Values.registry.server }}/nginx-mesh-cert-reloader:{{ .Values.registry.imageTag }} + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + args: + - "-pid" + - "/var/run/nats/nats.pid" + - "-is-daemon" + volumeMounts: + - name: pid + mountPath: "/var/run/nats" + - name: tls + mountPath: "/etc/ssl" + - name: spire-agent-socket + mountPath: "/run/spire/sockets" + - name: nats-server + image: {{ include "nats.image-server" . }}nats:2.7.2-alpine3.15 + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + ports: + - containerPort: 4222 + name: client + - containerPort: 8222 + name: monitor + command: + - nats-server + - "--config" + - "/etc/nats-config/nats.conf" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CLUSTER_ADVERTISE + value: "$(POD_NAME).nats-server.$(POD_NAMESPACE).svc" + volumeMounts: + - name: config-volume + mountPath: "/etc/nats-config" + - name: pid + mountPath: "/var/run/nats" + - name: tls + mountPath: "/etc/ssl" + livenessProbe: + httpGet: + path: "/" + port: 8222 + initialDelaySeconds: 10 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: "/" + port: 8222 + initialDelaySeconds: 10 + timeoutSeconds: 5 + lifecycle: + preStop: + exec: + command: + - "/bin/sh" + - "-c" + - "/nats-server -sl=ldm=/var/run/nats/nats.pid && /bin/sleep 60" diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/nginx-mesh-api.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/nginx-mesh-api.yaml new file mode 100644 index 000000000..b96043145 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/nginx-mesh-api.yaml @@ -0,0 +1,548 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nginx-mesh-api + labels: + app.kubernetes.io/part-of: nginx-service-mesh +imagePullSecrets: +- name: {{ include "registry-key-name" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: nginx-mesh-api.internal.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +rules: +- apiGroups: + - '' + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - '' + resources: + - services + - endpoints + verbs: + - "*" +- apiGroups: + - '' + resources: + - secrets + - pods + verbs: + - create + - get + - list + - watch +- apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + - update +- apiGroups: + - '' + resources: + - events + verbs: + - create + - patch +- apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - statefulsets + - deployments + - daemonsets + verbs: + - list + - watch +- apiGroups: + - split.smi-spec.io + resources: + - trafficsplits + verbs: + - "*" +- apiGroups: + - access.smi-spec.io + resources: + - traffictargets + verbs: + - "*" +- apiGroups: + - specs.smi-spec.io + - specs.smi.nginx.com + resources: + - httproutegroups + - tcproutes + - ratelimits + - circuitbreakers + verbs: + - "*" +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + resourceNames: + - sidecar-injector-webhook-cfg.internal.builtin.nsm.nginx + verbs: + - get + - update +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + resourceNames: + - validating-webhook-cfg.internal.builtin.nsm.nginx + verbs: + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: nginx-mesh-api.internal.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-mesh-api.internal.builtin.nsm.nginx +subjects: +- kind: ServiceAccount + name: nginx-mesh-api + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: nginx-mesh-api.internal.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +rules: +- apiGroups: + - apps + resources: + - statefulsets + - deployments + - daemonsets + resourceNames: + - spire-server + - spire-agent + verbs: + - get + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: nginx-mesh-api.internal.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nginx-mesh-api.internal.builtin.nsm.nginx +subjects: +- kind: ServiceAccount + name: nginx-mesh-api + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: nginx-mesh-api-svc.internal.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - kind: ServiceAccount + name: nginx-mesh-api + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: nginx-mesh-api-svc.internal.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - kind: ServiceAccount + name: nginx-mesh-api + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: mesh-config + labels: + app.kubernetes.io/part-of: nginx-service-mesh +binaryData: + mesh-config.json: {{ tpl (.Files.Get "configs/mesh-config.conf") . | b64enc | quote }} +--- +apiVersion: v1 +kind: Service +metadata: + name: nginx-mesh-api + labels: + app.kubernetes.io/part-of: nginx-service-mesh +spec: + type: ClusterIP + ports: + - name: https + port: 443 + targetPort: 8443 + protocol: TCP + selector: + app.kubernetes.io/name: nginx-mesh-api + app.kubernetes.io/part-of: nginx-service-mesh +--- +apiVersion: v1 +kind: Service +metadata: + name: nginx-mesh-webhook + labels: + app.kubernetes.io/name: nginx-mesh-api + app.kubernetes.io/part-of: nginx-service-mesh +spec: + type: ClusterIP + ports: + - name: admission + port: 443 + targetPort: 9443 + protocol: TCP + selector: + app.kubernetes.io/name: nginx-mesh-api + app.kubernetes.io/part-of: nginx-service-mesh +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: sidecar-injector-webhook-cfg.internal.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh + spiffe.io/webhook: "true" +webhooks: +- name: nginx-mesh-api.sidecar.injector + namespaceSelector: + matchExpressions: + - key: injector.nsm.nginx.com/auto-inject + operator: NotIn + values: + - 'false' + clientConfig: + service: + name: nginx-mesh-webhook + namespace: {{ .Release.Namespace }} + path: "/inject" + sideEffects: None + admissionReviewVersions: + - v1 + - v1beta1 + rules: + - apiGroups: + - '' + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: validating-webhook-cfg.internal.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh + spiffe.io/webhook: "true" +webhooks: +- name: nginx-mesh-api.policy.validator + clientConfig: + service: + name: nginx-mesh-webhook + namespace: {{ .Release.Namespace }} + path: "/validate" + sideEffects: None + admissionReviewVersions: + - v1 + - v1beta1 + rules: + - apiGroups: + - split.smi-spec.io + apiVersions: + - "*" + operations: + - CREATE + - UPDATE + - DELETE + resources: + - trafficsplits + - apiGroups: + - specs.smi-spec.io + apiVersions: + - "*" + operations: + - CREATE + - UPDATE + resources: + - httproutegroups + - apiGroups: + - specs.smi.nginx.com + apiVersions: + - "*" + operations: + - CREATE + - UPDATE + - DELETE + resources: + - circuitbreakers + - ratelimits +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-mesh-api + labels: + app.kubernetes.io/name: nginx-mesh-api + app.kubernetes.io/part-of: nginx-service-mesh +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: nginx-mesh-api + app.kubernetes.io/part-of: nginx-service-mesh + template: + metadata: + labels: + app.kubernetes.io/name: nginx-mesh-api + app.kubernetes.io/part-of: nginx-service-mesh + spiffe.io/spiffeid: "true" + spec: + serviceAccountName: nginx-mesh-api + containers: + - name: nginx-mesh-api + image: {{ .Values.registry.server }}/nginx-mesh-api:{{ .Values.registry.imageTag }} + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + args: + - "-meshconfig=/etc/config/mesh-config.json" + - "-logtostderr" + - "-v=3" + env: + - name: PULL_POLICY + value: {{ .Values.registry.imagePullPolicy }} + - name: MY_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + securityContext: + runAsUser: 0 + readinessProbe: + httpGet: + path: "/healthz" + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + failureThreshold: 30 + livenessProbe: + httpGet: + path: "/healthz" + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + failureThreshold: 30 + volumeMounts: + - name: config-volume + mountPath: "/etc/config" + - name: spire-agent-socket + mountPath: "/run/spire/sockets" + volumes: + - name: config-volume + configMap: + name: mesh-config + items: + - key: mesh-config.json + path: mesh-config.json + - name: spire-agent-socket + {{ if eq .Values.environment "openshift" -}} + csi: + driver: wlapi-mounter.spire.nginx.com + readOnly: true + {{- else -}} + hostPath: + path: "/run/spire/sockets" + type: DirectoryOrCreate + {{- end }} +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app.kubernetes.io/part-of: nginx-service-mesh + spiffe.io/apiservice: "true" + name: v1alpha1.nsm.nginx.com +spec: + group: nsm.nginx.com + groupPriorityMinimum: 100 + service: + name: nginx-mesh-api + namespace: {{ .Release.Namespace}} + port: 443 + version: v1alpha1 + versionPriority: 100 +{{- if eq .Values.environment "openshift" }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:openshift:scc:nginx-mesh-api-permissions + labels: + app.kubernetes.io/part-of: nginx-service-mesh +rules: +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - nginx-mesh-api-permissions + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system:openshift:scc:nginx-mesh-api-permissions + labels: + app.kubernetes.io/part-of: nginx-service-mesh +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:nginx-mesh-api-permissions +subjects: +- kind: ServiceAccount + name: nginx-mesh-api + namespace: {{ .Release.Namespace }} +--- +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: nginx-mesh-api-permissions + labels: + app.kubernetes.io/part-of: nginx-service-mesh +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegedContainer: false +seLinuxContext: + type: MustRunAs +readOnlyRootFilesystem: false +runAsUser: + type: RunAsAny +fsGroup: + type: MustRunAs +volumes: +- configMap +- csi +- secret +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:openshift:scc:nginx-mesh-permissions + labels: + app.kubernetes.io/part-of: nginx-service-mesh +rules: +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - nginx-mesh-permissions + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:openshift:scc:nginx-mesh-permissions + labels: + app.kubernetes.io/part-of: nginx-service-mesh +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:nginx-mesh-permissions +subjects: +- kind: Group + name: system:authenticated +--- +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: nginx-mesh-permissions + labels: + app.kubernetes.io/part-of: nginx-service-mesh +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegedContainer: false +allowedCapabilities: +- NET_ADMIN +- NET_RAW +- SYS_RESOURCE +- SYS_ADMIN +seLinuxContext: + type: RunAsAny +runAsUser: + type: RunAsAny +fsGroup: + type: MustRunAs +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +- csi +{{- end }} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/nginx-mesh-metrics.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/nginx-mesh-metrics.yaml new file mode 100644 index 000000000..b14fe9ee5 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/nginx-mesh-metrics.yaml @@ -0,0 +1,164 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nginx-mesh-metrics + labels: + app.kubernetes.io/part-of: nginx-service-mesh +imagePullSecrets: +- name: {{ include "registry-key-name" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: nginx-mesh-metrics.internal.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +rules: +- apiGroups: + - '' + resources: + - pods + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: nginx-mesh-metrics.internal.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-mesh-metrics.internal.builtin.nsm.nginx +subjects: +- kind: ServiceAccount + name: nginx-mesh-metrics + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: nginx-mesh-metrics-svc.internal.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: nginx-mesh-metrics + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: nginx-mesh-metrics-svc.internal.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: nginx-mesh-metrics + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: Service +metadata: + name: nginx-mesh-metrics-svc + labels: + app.kubernetes.io/name: nginx-mesh-metrics + app.kubernetes.io/part-of: nginx-service-mesh +spec: + type: ClusterIP + ports: + - name: http + port: 443 + targetPort: metrics + protocol: TCP + selector: + app.kubernetes.io/name: nginx-mesh-metrics + app.kubernetes.io/part-of: nginx-service-mesh +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.metrics.smi-spec.io + labels: + app.kubernetes.io/name: nginx-mesh-metrics + app.kubernetes.io/part-of: nginx-service-mesh + spiffe.io/apiservice: "true" +spec: + service: + name: nginx-mesh-metrics-svc + namespace: {{ .Release.Namespace }} + group: metrics.smi-spec.io + version: v1alpha1 + groupPriorityMinimum: 100 + versionPriority: 100 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-mesh-metrics + labels: + app.kubernetes.io/name: nginx-mesh-metrics + app.kubernetes.io/part-of: nginx-service-mesh +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: nginx-mesh-metrics + app.kubernetes.io/part-of: nginx-service-mesh + template: + metadata: + labels: + app.kubernetes.io/name: nginx-mesh-metrics + app.kubernetes.io/part-of: nginx-service-mesh + spiffe.io/spiffeid: "true" + spec: + serviceAccountName: nginx-mesh-metrics + containers: + - name: nginx-mesh-metrics + image: {{ .Values.registry.server }}/nginx-mesh-metrics:{{ .Values.registry.imageTag }} + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + args: + - "--prometheus-address={{ include "prometheus.address" . }}" + readinessProbe: + httpGet: + scheme: HTTPS + path: "/liveness" + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + failureThreshold: 30 + livenessProbe: + httpGet: + scheme: HTTPS + path: "/liveness" + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + failureThreshold: 30 + ports: + - name: metrics + containerPort: 8080 + volumeMounts: + - name: spire-agent-socket + mountPath: "/run/spire/sockets" + volumes: + - name: spire-agent-socket + {{ if eq .Values.environment "openshift" -}} + csi: + driver: wlapi-mounter.spire.nginx.com + readOnly: true + {{- else -}} + hostPath: + path: "/run/spire/sockets" + type: DirectoryOrCreate + {{- end }} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/post-delete-hook.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/post-delete-hook.yaml new file mode 100644 index 000000000..f4f107612 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/post-delete-hook.yaml @@ -0,0 +1,351 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: post-delete + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +imagePullSecrets: +- name: {{ include "registry-key-name" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: post-delete.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +rules: +- apiGroups: + - '' + resources: + - namespaces + verbs: + - get + - list + - patch +- apiGroups: + - spiffeid.spiffe.io + resources: + - spiffeids + verbs: + - get + - list + - patch + - update +{{- if eq .Values.environment "openshift" }} +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - post-delete-permissions.builtin.nsm.nginx + verbs: + - use +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: post-delete.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: post-delete.builtin.nsm.nginx +subjects: +- kind: ServiceAccount + name: post-delete + namespace: {{ .Release.Namespace }} +{{- if (include "docker-config-json" .) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "registry-key-name" . }} + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +data: + .dockerconfigjson: {{ include "docker-config-json" . | b64enc }} +type: kubernetes.io/dockerconfigjson +{{- end }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: remove-spiffeids + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "0" +spec: + template: + metadata: + name: remove-spiffeids + spec: + restartPolicy: Never + serviceAccountName: post-delete + containers: + - name: remove-spiffeids + image: {{ include "hook.image-server" . }}/kubectl + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + securityContext: + runAsUser: 0 + command: + - /bin/sh + - -c + - | + for ns in $(kubectl get ns | awk '{print $1}' | tail -n +2); do + if [ $(kubectl get spiffeids -n $ns 2>/dev/null | wc -l) -ne 0 ]; then + kubectl patch spiffeid $(kubectl get spiffeids -n $ns | awk '{print $1}' | tail -n +2) --type='merge' -p '{"metadata":{"finalizers":null}}' -n $ns + fi + done +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: remove-namespace-label + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "0" +spec: + template: + metadata: + name: remove-namespace-label + spec: + restartPolicy: Never + serviceAccountName: post-delete + containers: + - name: remove-namespace-label + image: {{ include "hook.image-server" . }}/kubectl + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + securityContext: + runAsUser: 0 + command: + - /bin/sh + - -c + - | + kubectl label namespace kube-system injector.nsm.nginx.com/auto-inject- + kubectl label namespace {{ .Release.Namespace }} injector.nsm.nginx.com/auto-inject- app.kubernetes.io/part-of- + {{- if .Values.rancher }} + kubectl label namespace ingress-nginx cert-manager injector.nsm.nginx.com/auto-inject- + for ns in $(kubectl get ns | awk '{print $1}' | tail -n +2); do + case "$ns" in + cattle-*) kubectl label namespace $ns injector.nsm.nginx.com/auto-inject- ;; + esac + done + {{- end }} +{{- if eq .Values.environment "openshift" }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: post-delete-csi + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +imagePullSecrets: +- name: {{ include "registry-key-name" . }} +--- +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: post-delete-permissions.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegedContainer: false +seLinuxContext: + type: MustRunAs +runAsUser: + type: RunAsAny +readOnlyRootFilesystem: false +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: post-delete-csi.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: post-delete-csi + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: csi-driver-cleanup + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +data: + sentinel.yaml: | + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + name: csi-driver-sentinel + labels: + app.kubernetes.io/part-of: nginx-service-mesh + imagePullSecrets: + - name: {{ include "registry-key-name" . }} + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: csi-driver-sentinel.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin + subjects: + - kind: ServiceAccount + name: csi-driver-sentinel + namespace: {{ .Release.Namespace }} + --- + apiVersion: batch/v1 + kind: Job + metadata: + name: csi-driver-sentinel + labels: + app.kubernetes.io/part-of: nginx-service-mesh + spec: + ttlSecondsAfterFinished: 0 + template: + spec: + restartPolicy: Never + serviceAccountName: csi-driver-sentinel + containers: + - name: csi-driver-sentinel + image: {{ include "hook.image-server" . }}/kubectl + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + command: + - /bin/sh + - -c + - | + while [ $(kubectl get pods -A -o=jsonpath='{.items[?(@.metadata.annotations.injector\.nsm\.nginx\.com/status=="injected")].metadata.name}' | wc -w) -gt 0 ]; do + sleep 5 + done + kubectl delete daemonset spire-agent + kubectl delete serviceaccount spire-agent + kubectl delete clusterrole system:openshift:scc:nginx-mesh-spire-agent-permissions + kubectl delete rolebinding system:openshift:scc:nginx-mesh-spire-agent-permissions + kubectl delete scc nginx-mesh-spire-agent-permissions + kubectl delete secret {{ include "registry-key-name" . }} + kubectl delete serviceaccount csi-driver-sentinel + kubectl delete clusterrolebinding csi-driver-sentinel.builtin.nsm.nginx + {{- if (include "docker-config-json" .) }} + secret.yaml: | + --- + apiVersion: v1 + kind: Secret + metadata: + name: {{ include "registry-key-name" . }} + labels: + app.kubernetes.io/part-of: nginx-service-mesh + data: + .dockerconfigjson: {{ include "docker-config-json" . | b64enc }} + type: kubernetes.io/dockerconfigjson + {{- end }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: csi-driver-cleanup + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "5" +spec: + template: + metadata: + name: csi-driver-cleanup + spec: + restartPolicy: Never + serviceAccountName: post-delete-csi + containers: + - name: csi-driver-cleanup + image: {{ include "hook.image-server" . }}/kubectl + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + securityContext: + runAsUser: 0 + command: + - /bin/sh + - -c + - | + res=$(kubectl get pods -o=jsonpath='{.items[?(@.metadata.annotations.injector\.nsm\.nginx\.com/status=="injected")].metadata.name}' -A | wc -w) + if [ $res -eq 0 ]; then + kubectl delete daemonset spire-agent + kubectl delete serviceaccount spire-agent + kubectl delete clusterrole system:openshift:scc:nginx-mesh-spire-agent-permissions + kubectl delete rolebinding system:openshift:scc:nginx-mesh-spire-agent-permissions + kubectl delete scc nginx-mesh-spire-agent-permissions + else + idx=$(kubectl get daemonset spire-agent -o json | jq '.spec.template.spec.containers | map(.name == "spire-agent") | index(true)') + kubectl patch daemonset spire-agent --type=json -p="[{'op': 'remove', 'path': '/spec/template/spec/containers/$idx'}]" + idx=$(kubectl get daemonset spire-agent -o json | jq '.spec.template.spec.initContainers | map(.name == "init") | index(true)') + kubectl patch daemonset spire-agent --type=json -p="[{'op': 'remove', 'path': '/spec/template/spec/initContainers/$idx'}]" + {{- if (include "docker-config-json" .) }} + kubectl get secret {{ include "registry-key-name" . }} + if [ $? != 0 ]; then + kubectl create -f /tmp/config/secret.yaml + fi + {{- end }} + kubectl create -f /tmp/config/sentinel.yaml + fi + volumeMounts: + - name: sentinel + mountPath: /tmp/config + volumes: + - name: sentinel + configMap: + name: csi-driver-cleanup +{{- end }} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/pre-delete-hook.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/pre-delete-hook.yaml new file mode 100644 index 000000000..9073cb26f --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/pre-delete-hook.yaml @@ -0,0 +1,79 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pre-delete + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +imagePullSecrets: + - name: {{ include "registry-key-name" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: pre-delete.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +rules: + - apiGroups: + - nsm.nginx.com + resources: + - clear + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: pre-delete.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: pre-delete.builtin.nsm.nginx +subjects: + - kind: ServiceAccount + name: pre-delete + namespace: {{ .Release.Namespace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: turn-proxies-transparent + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "0" +spec: + template: + metadata: + name: turn-proxies-transparent + spec: + restartPolicy: Never + serviceAccountName: pre-delete + containers: + - name: turn-proxies-transparent + image: {{ include "hook.image-server" . }}/kubectl + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + command: + - /bin/sh + - -c + - | + echo "" | kubectl create --raw /apis/nsm.nginx.com/v1alpha1/clear -f - + exit 0 + imagePullSecrets: + - name: {{ include "registry-key-name" . }} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/pre-install-hook.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/pre-install-hook.yaml new file mode 100644 index 000000000..eebff5d81 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/pre-install-hook.yaml @@ -0,0 +1,138 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pre-install + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +imagePullSecrets: +- name: {{ include "registry-key-name" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: pre-install.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +rules: +- apiGroups: + - '' + resources: + - namespaces + verbs: + - get + - list + - patch +{{- if eq .Values.environment "openshift" }} +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - pre-install-permissions.builtin.nsm.nginx + verbs: + - use +--- +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: pre-install-permissions.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegedContainer: false +seLinuxContext: + type: MustRunAs +runAsUser: + type: RunAsAny +readOnlyRootFilesystem: false +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: pre-install.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: pre-install.builtin.nsm.nginx +subjects: +- kind: ServiceAccount + name: pre-install + namespace: {{ .Release.Namespace }} +{{- if (include "docker-config-json" .) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "registry-key-name" . }} + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +data: + .dockerconfigjson: {{ include "docker-config-json" . | b64enc }} +type: kubernetes.io/dockerconfigjson +{{- end }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: label-namespace + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "0" +spec: + template: + metadata: + name: label-namespace + spec: + restartPolicy: Never + serviceAccountName: pre-install + containers: + - name: label-namespace + image: {{ include "hook.image-server" . }}/kubectl + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + securityContext: + runAsUser: 0 + command: + - /bin/sh + - -c + - | + kubectl label namespace kube-system injector.nsm.nginx.com/auto-inject=false + kubectl label namespace {{ .Release.Namespace }} --overwrite injector.nsm.nginx.com/auto-inject=false app.kubernetes.io/part-of=nginx-service-mesh + {{- if .Values.rancher }} + kubectl label namespace ingress-nginx cert-manager injector.nsm.nginx.com/auto-inject=false + for ns in $(kubectl get ns | awk '{print $1}' | tail -n +2); do + case "$ns" in + cattle-*) kubectl label namespace $ns injector.nsm.nginx.com/auto-inject=false ;; + esac + done + {{- end }} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/pre-upgrade-hook.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/pre-upgrade-hook.yaml new file mode 100644 index 000000000..42e7c11c1 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/pre-upgrade-hook.yaml @@ -0,0 +1,79 @@ +{{- if eq .Values.environment "openshift" }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pre-upgrade + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +imagePullSecrets: +- name: {{ include "registry-key-name" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: pre-upgrade + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +rules: +- apiGroups: + - apps + resources: + - daemonsets + verbs: + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: pre-upgrade + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "-5" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: pre-upgrade +subjects: +- kind: ServiceAccount + name: pre-upgrade + namespace: {{ .Release.Namespace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: delete-spire-agent + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + "helm.sh/hook-weight": "0" +spec: + template: + metadata: + name: delete-spire-agent + spec: + restartPolicy: Never + serviceAccountName: pre-upgrade + containers: + - name: delete-spire-agent + image: {{ include "hook.image-server" . }}/kubectl + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + command: + - /bin/sh + - -c + - | + kubectl delete daemonset spire-agent +{{- end }} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/prometheus.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/prometheus.yaml new file mode 100644 index 000000000..e96950360 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/prometheus.yaml @@ -0,0 +1,114 @@ +{{- if eq .Values.prometheusAddress "" }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: prometheus + labels: + app.kubernetes.io/part-of: nginx-service-mesh +imagePullSecrets: +- name: {{ include "registry-key-name" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: prometheus.metrics.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +rules: +- apiGroups: + - '' + resources: + - services + - endpoints + - pods + verbs: + - get + - list + - watch +- nonResourceURLs: + - "/metrics" + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: prometheus.metrics.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus.metrics.builtin.nsm.nginx +subjects: +- kind: ServiceAccount + name: prometheus + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: prometheus-configuration + labels: + app.kubernetes.io/part-of: nginx-service-mesh +binaryData: + prometheus.yaml: {{ .Files.Get "configs/prometheus-config.yaml" | b64enc }} +--- +apiVersion: v1 +kind: Service +metadata: + name: prometheus + labels: + app.kubernetes.io/name: prometheus + app.kubernetes.io/part-of: nginx-service-mesh +spec: + selector: + app.kubernetes.io/name: prometheus + app.kubernetes.io/part-of: nginx-service-mesh + type: ClusterIP + ports: + - port: 9090 + targetPort: 9090 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: prometheus + labels: + app.kubernetes.io/name: prometheus + app.kubernetes.io/part-of: nginx-service-mesh +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: prometheus + app.kubernetes.io/part-of: nginx-service-mesh + template: + metadata: + labels: + app.kubernetes.io/name: prometheus + app.kubernetes.io/part-of: nginx-service-mesh + spec: + serviceAccountName: prometheus + containers: + - name: prometheus + image: {{ include "prometheus.image-server" . }}/prometheus:v2.33.1 + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + args: + - "--config.file=/etc/prometheus/prometheus.yaml" + - "--storage.tsdb.path=/prometheus/" + ports: + - containerPort: 9090 + volumeMounts: + - name: prometheus-config-volume + mountPath: "/etc/prometheus" + - name: prometheus-storage-volume + mountPath: "/prometheus/" + volumes: + - name: prometheus-config-volume + configMap: + name: prometheus-configuration + - name: prometheus-storage-volume + emptyDir: {} +{{- end }} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/registry-key.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/registry-key.yaml new file mode 100644 index 000000000..beee39c5e --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/registry-key.yaml @@ -0,0 +1,12 @@ +{{- if (include "docker-config-json" .) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "registry-key-name" . }} + labels: + app.kubernetes.io/part-of: nginx-service-mesh +data: + .dockerconfigjson: {{ include "docker-config-json" . | b64enc }} +type: kubernetes.io/dockerconfigjson +{{- end }} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/spire-agent.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/spire-agent.yaml new file mode 100644 index 000000000..77c35502d --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/spire-agent.yaml @@ -0,0 +1,307 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-agent + labels: + app.kubernetes.io/part-of: nginx-service-mesh + {{- if eq .Values.environment "openshift" }} + annotations: + "helm.sh/resource-policy": keep + {{- end }} +imagePullSecrets: +- name: {{ include "registry-key-name" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: spire-agent.security.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +rules: +- apiGroups: + - '' + resources: + - pods + - nodes + - nodes/proxy + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: spire-agent.security.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: spire-agent.security.builtin.nsm.nginx +subjects: +- kind: ServiceAccount + name: spire-agent + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-agent + labels: + app.kubernetes.io/part-of: nginx-service-mesh +data: + agent.conf: {{ tpl (.Files.Get "configs/spire-agent.conf") . | quote }} +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: spire-agent + labels: + app.kubernetes.io/name: spire-agent + app.kubernetes.io/part-of: nginx-service-mesh + {{- if eq .Values.environment "openshift" }} + annotations: + "helm.sh/resource-policy": keep + {{- end }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: spire-agent + app.kubernetes.io/part-of: nginx-service-mesh + template: + metadata: + labels: + app.kubernetes.io/name: spire-agent + app.kubernetes.io/part-of: nginx-service-mesh + spec: + serviceAccountName: spire-agent + hostPID: true + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + initContainers: + {{- if eq .Values.environment "openshift" }} + - name: set-context + image: {{ include "ubuntu.image-server" . }}ubuntu:20.04 + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + command: ["chcon", "-Rt", "container_file_t", "wlapi/"] + volumeMounts: + - name: spire-agent-socket + mountPath: "/wlapi" + {{- end }} + - name: init + image: {{ include "hook.image-server" . }}/kubectl + command: + - /bin/sh + - -c + - | + while $(kubectl -n {{ .Release.Namespace }} wait --for=condition=Ready pod -l app.kubernetes.io/name=spire-server > /dev/null); [ $? -ne 0 ]; do + sleep 1 + done + containers: + - name: spire-agent + image: {{ include "spire.image-server" . }}/spire-agent:1.2.0 + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + args: + - "-config" + - "/run/spire/config/agent.conf" + env: + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: spire-config + mountPath: "/run/spire/config" + readOnly: true + - name: spire-bundle + mountPath: "/run/spire/bundle" + - name: spire-agent-socket + mountPath: "/run/spire/sockets" + readOnly: false + - name: spire-token + mountPath: "/var/run/secrets/tokens" + livenessProbe: + exec: + command: + - "/opt/spire/bin/spire-agent" + - healthcheck + - "-shallow" + - "-socketPath" + - "/run/spire/sockets/agent.sock" + failureThreshold: 2 + initialDelaySeconds: 15 + periodSeconds: 60 + timeoutSeconds: 3 + readinessProbe: + exec: + command: + - "/opt/spire/bin/spire-agent" + - healthcheck + - "-socketPath" + - "/run/spire/sockets/agent.sock" + initialDelaySeconds: 5 + periodSeconds: 5 + {{ if eq .Values.environment "openshift" -}} + - name: nginx-mesh-csi-driver + image: {{ .Values.registry.server }}/nginx-mesh-csi-driver:{{ .Values.registry.imageTag }} + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + args: + - "--node-id-env" + - "MY_NODE_NAME" + - "--wlapi-socket-dir" + - "/wlapi" + - "--csi-socket-path" + - "/csi/csi.sock" + env: + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: spire-agent-socket + mountPath: /wlapi + readOnly: true + - name: csi-socket-dir + mountPath: /csi + - name: mountpoint-dir + mountPath: /var/lib/kubelet/pods + mountPropagation: Bidirectional + securityContext: + privileged: true + - name: node-driver-registrar + image: {{ include "node-driver.image-server" . }}/csi-node-driver-registrar:v2.0.1 + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + args: + - "-csi-address" + - "/csi/csi.sock" + - "-kubelet-registration-path" + - "/var/lib/kubelet/plugins/agent.spire.csi.spiffe.io/csi.sock" + volumeMounts: + - name: csi-socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + {{- end }} + volumes: + - name: spire-config + configMap: + name: spire-agent + - name: spire-bundle + configMap: + name: spire-bundle + - name: spire-agent-socket + hostPath: + path: /run/spire/sockets + type: DirectoryOrCreate + {{ if eq .Values.environment "openshift" -}} + - name: csi-socket-dir + hostPath: + path: /var/lib/kubelet/plugins/agent.spire.csi.spiffe.io + type: DirectoryOrCreate + - name: mountpoint-dir + hostPath: + path: /var/lib/kubelet/pods + type: Directory + - name: registration-dir + hostPath: + path: /var/lib/kubelet/plugins_registry + type: Directory + {{- end }} + - name: spire-token + projected: + sources: + - serviceAccountToken: + audience: spire-server + expirationSeconds: 7200 + path: spire-agent +{{- if eq .Values.environment "openshift" }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:openshift:scc:nginx-mesh-spire-agent-permissions + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/resource-policy": keep +rules: +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - nginx-mesh-spire-agent-permissions + verbs: + - use +- apiGroups: + - '' + resources: + - pods + verbs: + - get + - list + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system:openshift:scc:nginx-mesh-spire-agent-permissions + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/resource-policy": keep +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:nginx-mesh-spire-agent-permissions +subjects: +- kind: ServiceAccount + name: spire-agent + namespace: {{ .Release.Namespace }} +--- +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: nginx-mesh-spire-agent-permissions + labels: + app.kubernetes.io/part-of: nginx-service-mesh + annotations: + "helm.sh/resource-policy": keep +allowHostDirVolumePlugin: true +allowHostIPC: false +allowHostPID: true +allowHostNetwork: true +allowHostPorts: false +allowPrivilegedContainer: true +seLinuxContext: + type: MustRunAs +readOnlyRootFilesystem: false +runAsUser: + type: RunAsAny +fsGroup: + type: MustRunAs +volumes: +- configMap +- hostPath +- projected +- secret +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: wlapi-mounter.spire.nginx.com +spec: + attachRequired: false + podInfoOnMount: true + volumeLifecycleModes: + - Ephemeral +{{- end }} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/spire-server.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/spire-server.yaml new file mode 100644 index 000000000..9914ecd1f --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/spire-server.yaml @@ -0,0 +1,434 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server + labels: + app.kubernetes.io/part-of: nginx-service-mesh +imagePullSecrets: +- name: {{ include "registry-key-name" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: spire-server.security.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +rules: +- apiGroups: + - '' + resources: + - pods + - nodes + verbs: + - get +- apiGroups: + - '' + resources: + - configmaps + resourceNames: + - spire-bundle + verbs: + - get + - patch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - get + - list + - patch + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - patch + - watch +{{- if .Values.mtls.upstreamAuthority.certManager }} +- apiGroups: + - cert-manager.io + resources: + - certificaterequests + verbs: + - get + - list + - create + - delete +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: spire-server.security.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: spire-server.security.builtin.nsm.nginx +subjects: +- kind: ServiceAccount + name: spire-server + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: k8s-workload-registrar.security.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +rules: +- apiGroups: + - '' + resources: + - endpoints + - pods + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - spiffeid.spiffe.io + resources: + - spiffeids + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - spiffeid.spiffe.io + resources: + - spiffeids/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: k8s-workload-registrar.security.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: k8s-workload-registrar.security.builtin.nsm.nginx +subjects: +- kind: ServiceAccount + name: spire-server + namespace: {{ .Release.Namespace }} +{{- if (or (include "ua-secret-name" .) (include "ua-vault-env-name" .)) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: spire-server + labels: + app.kubernetes.io/part-of: nginx-service-mesh +type: Opaque +data: + {{- if (include "ua-secret-name" .) }} + {{ include "ua-secret-name" . }}: {{ include "ua-secret-value" . }}{{ end }} + {{- if (include "ua-vault-env-name" .) }} + {{ include "ua-vault-env-name" . }}: {{ include "ua-vault-env-value" . }}{{ end }} +{{- end }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-bundle + labels: + app.kubernetes.io/part-of: nginx-service-mesh +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-server + labels: + app.kubernetes.io/part-of: nginx-service-mesh +data: + server.conf: {{ tpl (.Files.Get "configs/spire-server.conf") . | quote }} + {{ if (include "ua-upstream-cert" .) -}} + {{ include "ua-upstream-cert" . }}{{ end }} + {{ if (include "ua-upstream-client-cert" .) -}} + {{ include "ua-upstream-client-cert" . }}{{ end }} + {{ if (include "ua-upstream-bundle" .) -}} + {{ include "ua-upstream-bundle" . }}{{ end }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: k8s-workload-registrar + labels: + app.kubernetes.io/part-of: nginx-service-mesh +data: + k8s-workload-registrar.conf: {{ tpl (.Files.Get "configs/k8s-workload-registrar.conf") . | quote }} +--- +apiVersion: v1 +kind: Service +metadata: + name: spire-server + labels: + app.kubernetes.io/name: spire-server + app.kubernetes.io/part-of: nginx-service-mesh +spec: + type: ClusterIP + ports: + - name: grpc + protocol: TCP + port: 8081 + targetPort: 8081 + selector: + app.kubernetes.io/name: spire-server + app.kubernetes.io/part-of: nginx-service-mesh +--- +apiVersion: v1 +kind: Service +metadata: + name: k8s-workload-registrar + labels: + app.kubernetes.io/name: k8s-workload-registrar + app.kubernetes.io/part-of: nginx-service-mesh +spec: + ports: + - name: webhook + protocol: TCP + port: 443 + targetPort: 9443 + selector: + app.kubernetes.io/name: spire-server +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: k8s-workload-registrar.security.builtin.nsm.nginx + labels: + app.kubernetes.io/part-of: nginx-service-mesh + spiffe.io/webhook: "true" +webhooks: +- name: k8s-workload-registrar.{{ .Release.Namespace }}.svc + clientConfig: + service: + name: k8s-workload-registrar + namespace: {{ .Release.Namespace }} + path: "/validate-spiffeid-spiffe-io-v1beta1-spiffeid" + sideEffects: None + admissionReviewVersions: + - v1 + - v1beta1 + rules: + - apiGroups: + - spiffeid.spiffe.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - spiffeids + scope: Namespaced +--- +apiVersion: apps/v1 +{{- if eq .Values.mtls.persistentStorage "on" }} +kind: StatefulSet +{{- else }} +kind: Deployment +{{- end }} +metadata: + name: spire-server + labels: + app.kubernetes.io/name: spire-server + app.kubernetes.io/part-of: nginx-service-mesh +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: spire-server + app.kubernetes.io/part-of: nginx-service-mesh + {{- if eq .Values.mtls.persistentStorage "on" }} + serviceName: spire-server + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: spire-server + app.kubernetes.io/part-of: nginx-service-mesh + spec: + serviceAccountName: spire-server + shareProcessNamespace: true + containers: + - name: spire-server + image: {{ include "spire.image-server" . }}/spire-server:1.2.0 + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + args: + - '-config' + - /run/spire/config/server.conf + ports: + - name: spire-server + protocol: TCP + containerPort: 8081 + {{- if (include "ua-vault-env-name" .) }} + env: + - name: {{ include "ua-vault-env-name" . }} + valueFrom: + secretKeyRef: + name: spire-server + key: {{ include "ua-vault-env-name" . }} + {{- end }} + volumeMounts: + - name: spire-config + mountPath: /run/spire/config + readOnly: true + {{- if (include "ua-secret-mountpath" .) }} + - name: spire-secrets + mountPath: {{ include "ua-secret-mountpath" . }} + readOnly: true + {{- end }} + {{- if eq .Values.mtls.persistentStorage "on" }} + - name: spire-data + mountPath: /run/spire/data + readOnly: false + {{- end }} + - name: spire-server-socket + mountPath: /run/spire/sockets + readOnly: false + livenessProbe: + httpGet: + port: 8082 + path: /live + failureThreshold: 2 + initialDelaySeconds: 15 + periodSeconds: 60 + timeoutSeconds: 3 + readinessProbe: + httpGet: + port: 8082 + path: /ready + initialDelaySeconds: 5 + periodSeconds: 5 + - name: k8s-workload-registrar + image: {{ include "spire.image-server" . }}/k8s-workload-registrar:1.2.0 + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + args: + - '-config' + - /run/spire/config/k8s-workload-registrar.conf + ports: + - name: webhook + protocol: TCP + containerPort: 9443 + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: k8s-workload-registrar-config + mountPath: /run/spire/config + readOnly: true + - name: spire-server-socket + mountPath: /run/spire/sockets + readOnly: true + volumes: + - name: spire-config + configMap: + name: spire-server + {{- if (include "ua-secret-name" .) }} + - name: spire-secrets + secret: + secretName: spire-server + items: + - key: {{ include "ua-secret-name" . }} + path: {{ include "ua-secret-name" . }} + {{- end }} + - name: spire-server-socket + emptyDir: {} + - name: k8s-workload-registrar-config + configMap: + name: k8s-workload-registrar + {{- if eq .Values.mtls.persistentStorage "on" }} + volumeClaimTemplates: + - metadata: + name: spire-data + namespace: {{ .Release.Namespace }} + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + {{- end }} +{{- if eq .Values.environment "openshift" }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:openshift:scc:nginx-mesh-spire-server-permissions + labels: + app.kubernetes.io/part-of: nginx-service-mesh +rules: +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - nginx-mesh-spire-server-permissions + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system:openshift:scc:nginx-mesh-spire-server-permissions + labels: + app.kubernetes.io/part-of: nginx-service-mesh +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:nginx-mesh-spire-server-permissions +subjects: +- kind: ServiceAccount + name: spire-server + namespace: {{ .Release.Namespace }} +--- +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: nginx-mesh-spire-server-permissions + labels: + app.kubernetes.io/part-of: nginx-service-mesh +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegedContainer: false +seLinuxContext: + type: MustRunAs +readOnlyRootFilesystem: false +runAsUser: + type: RunAsAny +volumes: +- configMap +- secret +- emptyDir +- persistentVolumeClaim +{{- end }} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/zipkin.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/zipkin.yaml new file mode 100644 index 000000000..d5788077d --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/templates/zipkin.yaml @@ -0,0 +1,46 @@ +{{- if .Values.tracing }} {{- if (and (not .Values.tracing.disable) (eq .Values.tracing.backend "zipkin") (eq .Values.tracing.address "")) }} +--- +apiVersion: v1 +kind: Service +metadata: + name: zipkin + labels: + app.kubernetes.io/name: zipkin + app.kubernetes.io/part-of: nginx-service-mesh +spec: + selector: + app.kubernetes.io/name: zipkin + app.kubernetes.io/part-of: nginx-service-mesh + type: ClusterIP + ports: + - port: 9411 + targetPort: 9411 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: zipkin + labels: + app.kubernetes.io/name: zipkin + app.kubernetes.io/part-of: nginx-service-mesh +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: zipkin + app.kubernetes.io/part-of: nginx-service-mesh + template: + metadata: + labels: + app.kubernetes.io/name: zipkin + app.kubernetes.io/part-of: nginx-service-mesh + spec: + imagePullSecrets: + - name: {{ include "registry-key-name" . }} + containers: + - name: zipkin + image: {{ include "zipkin.image-server" . }}/zipkin:2.23.16 + imagePullPolicy: {{ .Values.registry.imagePullPolicy }} + ports: + - containerPort: 9411 +{{- end }}{{- end }} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/values.schema.json b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/values.schema.json new file mode 100644 index 000000000..6a7f879f1 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/values.schema.json @@ -0,0 +1,614 @@ +{ + "$schema": "https://json-schema.org/draft-07/schema#", + "title": "NGINX Service Mesh Values", + "type": "object", + "properties": { + "mtls": { + "type": "object", + "properties": { + "mode": { + "description": "mTLS mode for pod-to-pod communication", + "type": "string", + "enum": ["off", "permissive", "strict"], + "default": "permissive" + }, + "caTTL": { + "description": "The CA/signing key TTL in hours(h) or minutes(m). Max value is 999999.", + "type": "string", + "pattern": "^[1-9][0-9]{0,5}(h|m)$", + "default": "720h" + }, + "svidTTL": { + "description": "The TTL of certificates issued to workloads in hours(h) or minutes(m). Max value is 999999.", + "type": "string", + "pattern": "^[1-9][0-9]{0,5}(h|m)$", + "default": "1h" + }, + "trustDomain": { + "description": "The trust domain of the NGINX Service Mesh", + "type": "string", + "default": "example.org" + }, + "persistentStorage": { + "description": "Use persistent storage", + "type": "string", + "enum": ["on", "off"], + "default": "on" + }, + "spireServerKeyManager": { + "description": "Storage logic for SPIRE Server's private keys", + "type": "string", + "enum": ["disk", "memory"], + "default": "disk" + }, + "caKeyType": { + "description": "The key type used for the SPIRE Server CA", + "type": "string", + "enum": ["ec-p256", "ec-p384", "rsa-2048", "rsa-4096"], + "default": "ec-p256" + }, + "upstreamAuthority": { + "description": "Upstream authority settings", + "type": "object", + "properties": { + "disk": { + "description": "Disk object", + "type": "object", + "properties": { + "cert": { + "description": "Contents of your PEM encoded certificate file", + "type": "string", + "minLength": 1 + }, + "key": { + "description": "Contents of your PEM encoded key file", + "type": "string", + "minLength": 1 + }, + "bundle": { + "description": "Contents of your CA bundle file", + "type": "string" + } + }, + "required": ["cert", "key"] + }, + "awsPCA": { + "description": "AWS PCA object", + "type": "object", + "properties": { + "region": { + "description": "AWS region to use", + "type": "string", + "minLength": 1 + }, + "certificateAuthorityArn": { + "description": "ARN of the upstream CA certificate", + "type": "string", + "minLength": 1 + }, + "awsAccessKeyID": { + "description": "AWS access key ID", + "type": "string" + }, + "awsSecretAccessKey": { + "description": "AWS secret access key", + "type": "string" + }, + "caSigningTemplateArn": { + "description": "ARN of the signing template to use for the server's CA", + "type": "string" + }, + "signingAlgorithm": { + "description": "Signing algorithm to use for the server's CA", + "type": "string" + }, + "assumeRoleArn": { + "description": " ARN of an IAM role to assume", + "type": "string" + }, + "endpoint": { + "description": "Endpoint as hostname or fully-qualified URI that overrides the default endpoint", + "type": "string" + }, + "supplementalBundle": { + "description": "Contents of a PEM encoded CA certificates file that should be additionally included in the bundle", + "type": "string" + } + }, + "required": ["region", "certificateAuthorityArn"] + }, + "awsSecret": { + "description": "AWS Secret object", + "type": "object", + "properties": { + "region": { + "description": "AWS region to use", + "type": "string", + "minLength": 1 + }, + "certFileArn": { + "description": "ARN of the upstream CA certificate", + "type": "string", + "minLength": 1 + }, + "keyFileArn": { + "description": "ARN of the upstream CA key file", + "type": "string", + "minLength": 1 + }, + "awsAccessKeyID": { + "description": "AWS access key ID", + "type": "string" + }, + "awsSecretKeyID": { + "description": "AWS secret access key", + "type": "string" + }, + "awsSecretToken": { + "description": "AWS secret token", + "type": "string" + }, + "assumeRoleArn": { + "description": "ARN of role to assume", + "type": "string" + } + }, + "required": ["region", "certFileArn", "keyFileArn"] + }, + "vault": { + "description": "Vault object", + "type": "object", + "properties": { + "vaultAddr": { + "description": "URL of the Vault server", + "type": "string", + "minLength": 1 + }, + "namespace": { + "description": "Vault namespace", + "type": "string", + "minLength": 1 + }, + "caCert": { + "description": "Contents of a PEM encoded CA certificate file to verify the Vault server certificate", + "type": "string", + "minLength": 1 + }, + "pkiMountPoint": { + "description": "Name of the mount point where the PKI secret engine is mounted", + "type": "string", + "default": "pki" + }, + "insecureSkipVerify": { + "description": "If true, vault client accepts any server certificates", + "type": "boolean", + "default": false + }, + "certAuth": { + "description": "Client certificate authentication object", + "type": "object", + "properties": { + "clientCert": { + "description": "Contents of your client cert file", + "type": "string", + "minLength": 1 + }, + "clientKey": { + "description": "Contents of your client key file", + "type": "string", + "minLength": 1 + }, + "certAuthMountPoint": { + "description": "Name of the mount point where TLS certificate auth method is mounted", + "type": "string", + "default": "cert" + }, + "certAuthRoleName": { + "description": "Name of the vault role. If given, the plugin authenticates against only the named role. Default to trying all roles.", + "type": "string" + } + }, + "required": ["clientCert", "clientKey"] + }, + "tokenAuth": { + "description": "Token authentication object", + "type": "object", + "properties": { + "token": { + "description": "Token string set into X-Vault-Token header", + "type": "string", + "minLength": 1 + } + }, + "required": ["token"] + }, + "approleAuth": { + "description": "AppRole authentication object", + "type": "object", + "properties": { + "approleID": { + "description": "An identifier of AppRole", + "type": "string", + "minLength": 1 + }, + "approleSecretID": { + "description": "A credential of AppRole", + "type": "string", + "minLength": 1 + }, + "approleAuthMountPoint": { + "description": "Name of the mount point where the AppRole auth method is mounted", + "type": "string", + "default": "approle" + } + }, + "required": ["approleID", "approleSecretID"] + } + }, + "required": ["vaultAddr", "namespace", "caCert"], + "oneOf": [ + {"required": ["certAuth"]}, + {"required": ["tokenAuth"]}, + {"required": ["approleAuth"]} + ] + }, + "certManager": { + "description": "Cert Manager object", + "type": "object", + "properties": { + "namespace": { + "description": "The namespace to create CertificateRequests for signing", + "type": "string", + "minLength": 1 + }, + "issuerName": { + "description": "The name of the issuer to reference in CertificateRequests", + "type": "string", + "minLength": 1 + }, + "issuerKind": { + "description": "The kind of the issuer to reference in CertificateRequests", + "type": "string", + "default": "Issuer" + }, + "issuerGroup": { + "description": "The group of the issuer to reference in CertificateRequests", + "type": "string", + "default": "cert-manager.io" + }, + "kubeConfig": { + "description": "Contents of the kubeconfig file used to connect to the Kubernetes cluster", + "type": "string" + } + }, + "required": ["namespace", "issuerName"] + } + }, + "oneOf": [ + {"$ref": "#/definitions/emptyObject"}, + {"required": ["disk"]}, + {"required": ["awsPCA"]}, + {"required": ["awsSecret"]}, + {"required": ["vault"]}, + {"required": ["certManager"]} + ] + } + }, + "required": ["mode", "caTTL", "svidTTL", "trustDomain", "persistentStorage", "spireServerKeyManager"] + }, + "registry": { + "description": "NGINX Service Mesh image registry settings", + "type": "object", + "properties": { + "server": { + "description": "Hostname:port (if needed) for registry and path to images", + "type": "string", + "default": "docker-registry.nginx.com/nsm" + }, + "imageTag": { + "description": "Tag used for pulling images from registry. ", + "type": "string", + "default": "1.4.0" + }, + "key": { + "description": "Contents of your Google Cloud JSON key file", + "type": "string" + }, + "username": { + "description": "Username for accessing private registry", + "type": "string" + }, + "password": { + "description": "Password for accessing private registry", + "type": "string" + }, + "disablePublicImages": { + "description": "Disable the pulling of third party images from public repositories", + "type": "boolean", + "default": false + }, + "imagePullPolicy": { + "description": "Image pull policy", + "type": "string", + "enum": ["Never", "IfNotPresent", "Always"], + "default": "IfNotPresent" + } + }, + "oneOf": [ + { + "properties": { + "username": {"$ref": "#/definitions/nonEmptyString"}, + "password": {"$ref": "#/definitions/nonEmptyString"}, + "key": {"$ref": "#/definitions/emptyString"} + } + }, + { + "properties": { + "key": {"$ref": "#/definitions/nonEmptyString"}, + "username": {"$ref": "#/definitions/emptyString"}, + "password": {"$ref": "#/definitions/emptyString"} + } + }, + { + "properties": { + "key": {"$ref": "#/definitions/emptyString"}, + "username": {"$ref": "#/definitions/emptyString"}, + "password": {"$ref": "#/definitions/emptyString"} + } + } + ], + "required": ["server", "imageTag", "disablePublicImages", "imagePullPolicy"] + }, + "accessControlMode": { + "description": "Default access control mode for service-to-service communication", + "type": "string", + "enum": ["allow", "deny"] + }, + "environment": { + "description": "Environment to deploy the mesh into", + "type": "string", + "enum": ["kubernetes", "openshift"] + }, + "enableUDP": { + "description": "Enable UDP traffic proxying (beta). Linux kernel 4.18 or greater is required.", + "type": "boolean" + }, + "deployGrafana": { + "description": "Deploy Grafana as a part of the NGINX Service Mesh", + "type": "boolean" + }, + "nginxErrorLogLevel": { + "description": "NGINX error log level", + "type": "string", + "enum": ["debug", "info", "notice", "warn", "error", "crit", "alert", "emerg"] + }, + "nginxLogFormat": { + "description": "NGINX log format", + "type": "string", + "enum": ["default", "json"] + }, + "nginxLBMethod": { + "description": "NGINX load balancing method", + "type": "string", + "enum": ["least_conn", "least_time", "least_time last_byte", "least_time last_byte inflight", "random", "random two", "random two least_conn", "random two least_time", "random two least_time=last_byte", "round_robin"] + }, + "prometheusAddress": { + "description": "The address of a Prometheus server deployed in your Kubernetes cluster", + "type": "string" + }, + "autoInjection": { + "description": "NGINX Service Mesh auto-injection settings", + "type": "object", + "properties": { + "disable": { + "description": "Disable automatic sidecar injection upon resource creation", + "type": "boolean" + }, + "disabledNamespaces": { + "description": "Disable automatic sidecar injection for specific namespace", + "type": "array", + "items": { + "type": "string" + } + }, + "enabledNamespaces": { + "description": "Enable automatic sidecar injection for specific namespaces", + "type": "array", + "items": { + "type": "string" + } + } + }, + "allOf": [ + { + "if": { + "properties": { + "disable": { + "const": true + } + } + }, + "then":{ + "properties": { + "disabledNamespaces": { + "$ref": "#/definitions/emptyArray" + } + } + } + }, + { + "if": { + "properties": { + "disable": { + "const": false + } + } + }, + "then":{ + "properties": { + "enabledNamespaces": { + "$ref": "#/definitions/emptyArray" + } + } + } + } + ], + "required": ["disable"] + }, + "tracing": { + "description": "NGINX Service Mesh tracing settings", + "type": "object", + "oneOf": [ + {"$ref": "#/definitions/tracingConfig"}, + {"$ref": "#/definitions/emptyObject"} + ] + }, + "telemetry":{ + "description": "NGINX Service Mesh telemetry settings", + "type": "object", + "oneOf": [ + {"$ref": "#/definitions/telemetryConfig"}, + {"$ref": "#/definitions/emptyObject"} + ] + } + }, + "definitions": { + "nonEmptyString": { + "type": "string", + "minLength": 1 + }, + "emptyString": { + "type": "string", + "const": "" + }, + "nonEmptyArray": { + "type": "array", + "minItems": 1 + }, + "emptyArray": { + "type": "array", + "maxItems": 0 + }, + "emptyObject": { + "type": "object", + "additionalProperties": false, + "properties": {} + }, + "telemetryConfig": { + "properties": { + "samplerRatio": { + "description": "The percentage of traces that are processed and exported to the telemetry backend. Float between 0 and 1", + "type": "number", + "minimum": 0.0, + "maximum": 1.0 + }, + "exporters": { + "type": "object", + "properties": { + "otlp": { + "type": "object", + "description": "The configuration for an OTLP gRPC exporter", + "properties": { + "host": { + "description": "The host of the OpenTelemetry gRPC exporter to connect to", + "type": "string", + "minLength": 1 + }, + "port": { + "description": "The port of the OpenTelemetry gRPC exporter to connect to", + "type": "number", + "minimum": 0, + "maximum": 65535 + } + }, + "required": ["host", "port"] + } + } + } + }, + "required": ["samplerRatio", "exporters"] + }, + "tracingConfig": { + "properties": { + "disable": { + "description": "Disable tracing for all services", + "type": "boolean" + }, + "sampleRate": { + "description": "The sample rate to use for tracing. Float between 0 and 1", + "type": "number", + "minimum": 0.0, + "maximum": 1.0 + }, + "backend": { + "description": "The tracing backend that you want to use", + "type": "string", + "enum": ["zipkin", "datadog", "jaeger"] + }, + "address": { + "description": "The address of a tracing server deployed in your Kubernetes cluster", + "type": "string" + } + }, + "required": ["disable", "sampleRate"], + "if": { + "properties": { + "backend": { + "const": "datadog" + } + } + }, + "then": { + "properties": { + "address": { + "type": "string", + "minLength": 1 + } + } + } + } + }, + "oneOf": [ + { + "properties": { + "telemetry": { + "$ref": "#/definitions/emptyObject" + }, + "tracing": { + "$ref": "#/definitions/tracingConfig" + } + } + }, + { + "properties": { + "telemetry": { + "$ref": "#/definitions/emptyObject" + }, + "tracing": { + "$ref": "#/definitions/emptyObject" + } + } + }, + { + "properties": { + "telemetry": { + "$ref": "#/definitions/telemetryConfig" + }, + "tracing": { + "$ref": "#/definitions/emptyObject" + } + } + } + ], + "required": [ + "mtls", + "registry", + "accessControlMode", + "environment", + "deployGrafana", + "nginxErrorLogLevel", + "nginxLogFormat", + "nginxLBMethod", + "autoInjection" + ] +} diff --git a/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/values.yaml b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/values.yaml new file mode 100644 index 000000000..3a2043666 --- /dev/null +++ b/charts/nginx-service-mesh/nginx-service-mesh/0.4.0/values.yaml @@ -0,0 +1,266 @@ +# NGINX Service Mesh image registry settings. +registry: + # Hostname:port (if needed) for registry and path to images. + # Affects: nginx-mesh-api, nginx-mesh-cert-reloader, nginx-mesh-init, nginx-mesh-metrics, nginx-mesh-sidecar + server: "docker-registry.nginx.com/nsm" + + # Tag used for pulling images from registry + # Affects: nginx-mesh-api, nginx-mesh-cert-reloader, nginx-mesh-init, nginx-mesh-metrics, nginx-mesh-sidecar + imageTag: "1.4.0" + + # Note: Currently only works with Google Cloud registry. + # Contents of your Google Cloud JSON key file. Can be set via "--set-file registry.key=.json" + # Cannot be used with username or password. + key: "" + + # Username for accessing private registry. + # Requires password to be set. Cannot be used with key. + username: "" + + # Password for accessing private registry. + # Requires username to be set. Cannot be used with key. + password: "" + + # Do not pull third party images from public repositories. + # If true, registry.server is used for all images. + disablePublicImages: false + + # Image pull policy + # Valid values: Always, IfNotPresent, Never + imagePullPolicy: "IfNotPresent" + +# Default access control mode for service-to-service communication. +# Valid values: allow, deny +accessControlMode: "allow" + +# Environment to deploy the mesh into. +# Valid values: kubernetes, openshift +environment: "kubernetes" + +# Enable UDP traffic proxying (beta). Linux kernel 4.18 or greater is required. +enableUDP: false + +# Deploy Grafana as a part of the NGINX Service Mesh. +# Note: This configurable will be removed in version 1.5 +# Valid values: true, false +deployGrafana: true + +# NGINX error log level. +# Valid values: debug, info, notice, warn, error, crit, alert, emerg +nginxErrorLogLevel: "warn" + +# NGINX log format. +# Valid values: default, json +nginxLogFormat: "default" + +# NGINX load balancing method. +# Valid values: [least_conn, least_time, least_time last_byte, least_time last_byte inflight, +# random, random two, random two least_conn, random two least_time, random two least_time=last_byte, round_robin] +nginxLBMethod: "least_time" + +# The address of a Prometheus server deployed in your Kubernetes cluster. +# Address should be in the format .:. +prometheusAddress: "" + +# NGINX Service Mesh auto-injection settings. +autoInjection: + # Disable automatic sidecar injection upon resource creation. + # Use the "enabledNamespaces" flag to enable automatic injection in select namespaces. + disable: false + + # Disable automatic sidecar injection for specific namespaces. + # Cannot be used with "disable". + disabledNamespaces: [] + + # Enable automatic sidecar injection for specific namespaces. + # Must be used with "disable". + enabledNamespaces: [] + +# NGINX Service Mesh tracing settings. +# Cannot be set when telemetry is set. +# If deploying with tracing, make sure the telemetry object is set to {}. +tracing: + # Disable tracing for all services. + # Note: This configurable will be removed in version 1.5 + disable: false + + # The address of a tracing server deployed in your Kubernetes cluster. + # Address should be in the format .:. + address: "" + + # The tracing backend that you want to use. + # Valid values: datadog, jaeger, zipkin + backend: "jaeger" + + # The sample rate to use for tracing. Float between 0 and 1. + sampleRate: 0.01 + +# NGINX Service Mesh telemetry settings. +# Cannot be set when tracing is set. +# To enable telemetry, uncomment the following object and set the tracing object to {}. +telemetry: {} +# # The percentage of traces that are processed and exported to the telemetry backend. Float between 0 and 1. +# samplerRatio: 0.01 +# # The configuration of exporters to send telemetry data to. +# exporters: +# # The configuration for an OTLP gRPC exporter. +# otlp: +# # The host of the OpenTelemetry gRPC exporter to connect to. Must be accessible from within the cluster. +# host: "" +# # The port of the OpenTelemetry gRPC exporter to connect to. +# port: 4317 + +# Mutual TLS settings. See https://docs.nginx.com/nginx-service-mesh/guides/secure-traffic-mtls for more info. +mtls: + # mTLS mode for pod-to-pod communication. + # Valid values: off, permissive, strict + mode: "permissive" + + # The CA/signing key TTL in hours(h) or minutes(m). + caTTL: "720h" + + # The TTL of certificates issued to workloads in hours(h) or minutes(m). + svidTTL: "1h" + + # The trust domain of NGINX Service Mesh. + trustDomain: "example.org" + + # Use persistent storage; "on" assumes that a StorageClass exists. + # Valid values: on, off + persistentStorage: "on" + + # Storage logic for SPIRE Server's private keys. + # Valid values: disk, memory + spireServerKeyManager: "disk" + + # The key type used for the SPIRE Server CA. + # Valid values: ec-p256, ec-p384, rsa-2048, rsa-4096 + caKeyType: "ec-p256" + + ## Upstream authority settings. If left empty, SPIRE is used as the upstream authority. + ## Only uncomment and fill out the object pertinent to you (disk, awsPCA, awsSecret, vault, certManager). + upstreamAuthority: {} + + # # Disk object (see https://github.com/spiffe/spire/blob/v1.0/doc/plugin_server_upstreamauthority_disk.md) + # disk: + # # Contents of your PEM encoded certificate file. Can be set via "--set-file mtls.upstreamAuthority.disk.cert=" + # cert: "" + # # Contents of your PEM encoded key file. Can be set via "--set-file mtls.upstreamAuthority.disk.key=" + # key: "" + # # Optional; contents of your CA bundle file. Can be set via "--set-file mtls.upstreamAuthority.disk.bundle=" + # bundle: "" + + # # AWS PCA object (see https://github.com/spiffe/spire/blob/v1.0/doc/plugin_server_upstreamauthority_aws_pca.md) + # awsPCA: + # # AWS region to use + # region: "" + # # ARN of the upstream CA certificate + # certificateAuthorityArn: "" + + # ## Optional auth fields + # ## See https://docs.nginx.com/nginx-service-mesh/guides/secure-traffic-mtls/#deploy-using-an-upstream-root-ca for instructions on configuring auth for aws_pca + + # # AWS access key ID + # # This access key ID will be encoded, stored in a Kubernetes Secret, and mounted to the SPIRE server Pod + # awsAccessKeyID: "" + # # AWS secret access key + # # This secret access key will be encoded, stored in a Kubernetes Secret, and mounted to the SPIRE server Pod + # awsSecretAccessKey: "" + # # ARN of the signing template to use for the server's CA + # # ARN of an IAM role to assume + # # The SPIRE server will need permission to assume this IAM role. Either attach an IAM role to the EC2 instance with the capability to assume this role, or provide your AWS credentials + # assumeRoleArn: "" + + # ## Other optional fields + # caSigningTemplateArn: "" + # # Signing algorithm to use for the server's CA + # signingAlgorithm: "" + # # Endpoint as hostname or fully-qualified URI that overrides the default endpoint + # endpoint: "" + # # Contents of a PEM encoded CA certificates file that should be additionally included in the bundle. + # # Can be set via "--set-file mtls.upstreamAuthority.awsPCA.supplementalBundle=" + # supplementalBundle: "" + + # # AWS Secret object (see https://github.com/spiffe/spire/blob/v1.0/doc/plugin_server_upstreamauthority_awssecret.md) + # awsSecret: + # # AWS region to use + # region: "" + # # ARN of the upstream CA certificate + # certFileArn: "" + # # ARN of the upstream CA key file + # keyFileArn: "" + + # ## Choose an appropriate auth method + + # # AWS access key ID. This access key ID will be stored in plaintext in the Spire server configmap. + # # For other AWS authentication options see: (see https://github.com/spiffe/spire/blob/v1.0/doc/plugin_server_upstreamauthority_awssecret.md) + # awsAccessKeyID: "" + # # AWS secret access key. This secret access key ID will be stored in plaintext in the Spire server configmap. + # # For other AWS authentication options see: (see https://github.com/spiffe/spire/blob/v1.0/doc/plugin_server_upstreamauthority_awssecret.md) + # awsSecretAccessKey: "" + # # AWS secret token + # awsSecretToken: "" + # # ARN of role to assume + # assumeRoleArn: "" + + # # Vault object (see https://github.com/spiffe/spire/blob/v0.12/doc/plugin_server_upstreamauthority_vault.md) + # vault: + # # URL of the Vault server + # vaultAddr: "" + # # Vault namespace + # namespace: "" + # # Contents of a PEM encoded CA certificate file to verify the Vault server certificate. + # # Can be set via "--set-file mtls.upstreamAuthority.vault.caCert=" + # caCert: "" + # # Name of the mount point where the PKI secret engine is mounted + # pkiMountPoint: "pki" + # # If true, vault client accepts any server certificates + # insecureSkipVerify: false + + # # Client Certificate Authentication + # certAuth: + # # Contents of your client cert file. Can be set via "--set-file mtls.upstreamAuthority.vault.certAuth.clientCert=" + # clientCert: "" + # # Contents of your client key file. Can be set via "--set-file mtls.upstreamAuthority.vault.certAuth.clientKey=" + # clientKey: "" + + # ## Optional fields + + # # Name of the mount point where TLS certificate auth method is mounted + # certAuthMountPoint: "cert" + # # Name of the vault role. If given, the plugin authenticates against only the named role. Default to trying all roles. + # certAuthRoleName: "" + + # # Token Authentication + # tokenAuth: + # # Token string set into "X-Vault-Token" header + # token: "" + + # # AppRole Authentication + # approleAuth: + # # An identifier of AppRole + # approleID: "" + # # A credential of AppRole + # approleSecretID: "" + + # # Name of the mount point where the AppRole auth method is mounted + # approleAuthMountPoint: "approle" + + # # Cert Manager object (see https://github.com/spiffe/spire/blob/v1.0/doc/plugin_server_upstreamauthority_cert_manager.md) + # certManager: + # # The namespace to create CertificateRequests for signing. + # namespace: "" + # # The name of the issuer to reference in CertificateRequests. + # issuerName: "" + + # ## Optional fields + + # # The kind of the issuer to reference in CertificateRequests. + # issuerKind: "Issuer" + + # # The group of the issuer to reference in CertificateRequests. + # issuerGroup: "cert-manager.io" + + # # Contents of the kubeconfig file used to connect to the Kubernetes cluster. Empty file will attempt to use an in-cluster config. + # # Can be set via "--set-file mtls.upstreamAuthority.certManager.kubeConfig=". + # kubeConfig: ""